Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2086
Views
20
Helpful
3
Replies

Clearing dot1x authentication sessions after device change

SMD28316
Level 1
Level 1

‎10-03-2021 02:17 AM

I have the following configuration,  Gig1/0/2 is for a PC and ip phone connection:

interface GigabitEthernet1/0/2
 device-tracking attach-policy IPDT_RULE
 dot1x pae authenticator
 switchport mode access
 switchport voice vlan 134
 mab
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 service-policy type control subscriber DOT1X_MAB_POL
 spanning-tree portfast
!
policy-map type control subscriber DOT1X_MAB_POL
 event session-started match-first
  50 class always do-until-failure
   10 authenticate using dot1x priority 10
   30 set-timer TIMER_MAB_START 5
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-failure match-first
  30 class always do-until-failure
   50 authentication-restart 60
 event timer-expiry match-first
  10 class CLASS_TIMER_MAB_START do-until-failure
   10 authenticate using mab retries 2 retry-time 3 priority 20
   20 set-timer TIM_DOT1X_STOP 10
  20 class CLASS_TIM_DOT1X_STOP do-until-failure
   10 terminate dot1x
 event violation match-all
  10 class always do-until-failure
   10 restrict
!

The authentication works perfectly (MAB for the IP Phone and Dot1X for the PC), however, when I change the connected PC to another on on the interface gig1/0/2, shouldn't the authentication session be cleared for the removed device? When only computer is removed, the authentication session is still present on the interface, 

meaning that can be computer A connected to the phone and authenticated but in few minutes computer A can leave and computer B joins that same interface. The IP Phone remains working as expected, but the computer B is never authenticated, we always see the session from computer A.

 

Is there a way to change this behavior?

3 Replies 3

marce1000
Hall of Fame
Hall of Fame

‎10-03-2021 02:39 AM

 

 - Have a try by adding the global configuration command :  authentication mac-move permit  , although it denotes another behavior

initially , it may be beneficial for your issue too.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World
VIP
VIP

‎10-03-2021 04:03 AM

you need CDP enhance, this make IPHONE send to SW that the connect PC is remove.

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-03-2021 03:31 PM

This behaviour is discussed in more detail in the IP Telephony for 802.1X Design Guide.

Cisco phones use the CDP Enhancement for Second Port Disconnect. Some other phone vendors support a feature like Proxy EAPoL-Logoff, but you'll need to confirm what capabilities your IP Phone vendor supports.

Without the ability of the phone to tell the switch that the PC has disconnected, the switch can only rely on functions like the inactivity timer to flush stale sessions.

Customers Also Viewed These Support Documents