cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

889
Views
10
Helpful
7
Replies
Carlosperez16
Beginner

Connectivity problem using 802.1X Authentication when moving between switch ports - Cisco ISE

Hi Guys,

 

We are having some issues at our office When users move from one port of the switch to a port of another switch, their MAC address stays on the previous port as STATIC, creating connectivity problems when the new connection is below the previous switch.

Diagrama MAC STATIC PROBLEM.jpg

The switch learns the MAC address as static because we use authentication on the switch ports with Cisco ISE 2.7. As computers are connected through an IP phone when they move, the port does not turn off and the MAC address remains stuck in the previous port.

Do you guys have any idea how this problem can be solved?

Meanwhile we are using Radius idle timeout of 5 seconds in the authorization profile in ISE. In this way, after 5 seconds after the computer was disconnected, the session ends and the switch clears the MAC, but sometimes this configuration brings me problems of instability in the connectivity of the users and that is why I need to know if there is any other solution .

 

Below I share the configuration that we use in the switches ports.

 

authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable

 

 

 

7 REPLIES 7
Francesco Molino
VIP Mentor

Hi

What IP phone devices are you using?
You need to make sure the logoff message is sent out to the radius when a pc disconnects from the IP phone.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Our IP Phones are AVAYA. 

 

How can I achieve that the logoff message is sent out to the radius when a pc disconnects from the IP phone?

 

Thanks

Marcelo Morais
Advocate

Hi @Carlosperez16 ,

 beyond @Francesco Molino said, try the following command:

authentication control-direction in

 

Hope this helps !!!

Arne Bier
VIP Advisor

Do you have device Tracking enabled?

eg some sample commands below. You apply the policy to the interfaces

 

authentication mac-move permit
!
device-tracking policy IPDT_POLICY
 no protocol udp
 tracking enable

 

Hi Arne, 

 

Could you please tell me how I can use IP Device Tracking to solve this problem?

Below the configuration I'm using on the switches, please tell me if something is missing

 

GLOBALLY

authentication mac-move permit

aaa new-model
aaa group server radius dot1x_auth
server name EXAMPLE-ISE-1
server name EXAMPLE-ISE-2
aaa authentication dot1x default group dot1x_auth
aaa authorization network default group dot1x_auth
aaa accounting update newinfo
aaa accounting dot1x default start-stop group dot1x_auth
aaa server radius dynamic-author
client 192.168.4.58 server-key ExampleKey
client 192.168.4.59 server-key ExampleKey
aaa session-id common

dot1x system-auth-control
dot1x critical eapol

ip access-list extended ACL_Redirect
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host 192.168.4.58
deny ip any host 192.168.4.59
permit tcp any any eq www
permit tcp any any eq 443
permit ip any any
deny ip any any

ip device tracking probe delay 10
ip device tracking

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 2
radius-server key ExampleKey
radius-server vsa send authentication
radius-server vsa send accounting
radius server EXAMPLE-ISE-1
address ipv4 192.168.4.58 auth-port 1812 acct-port 1813
key ExampleKey
radius server EXAMPLE-ISE-2
address ipv4 192.168.4.59 auth-port 1812 acct-port 1813
key ExampleKey

 

ON THE INTERFACE

switchport access vlan 60
switchport mode access
switchport voice vlan 70
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast

Do you have device tracking assigned on the interface?

 

Below is the global device-tracking definition (courtesy of DNAC and how you would apply it to an interface:

 

device-tracking policy IPDT_MAX_10
 limit address-count 10
 no protocol udp
 tracking enable


interface gig x/x/x
  device-tracking attach-policy IPDT_MAX_10

 

thomas
Cisco Employee

You want your phones to have the CDP 2nd Port disconnect option enabled. They will tell the switch when to release the MAC from the data VLAN when you use this. See Phone & Collaboration Authentication Capabilities for more details with different phone vendors.

Content for Community-Ad