I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
This is what I did to replicate the issue, in detail:
1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
Solved! Go to Solution.
The switches I'm working with are:
Switch A: WS-C2960-48TC-L
SW Image: C2960-LANBASEK9-M, Version 12.2(52)SE
Switch B: WS-C3560-48TS
SW Image: C3560-IPSERVICESK9-M, Version 12.2(53)SE
There is also switch C (another 3560, not sure about the image) where NAC appliances are connected.
Furthermore, there is a redundant NAS server on a different location, connected to switch B through another path (however, the active server atm of this test was the one connected to switch C).
All the switches are connected with GE trunks (just a single link, no EtherChannels), in the following order:
A <-> B <-> C
Both Access and Auth VLANs, and a third VLAN (for NAM-NAS-switches communication) are all terminated on switch B.
I understand there is some information missing - if you think it would be useful, I can provide a more detailed diagram...
The configuration includes the following lines (on both switches I used for access):
snmp-server community *** RW
snmp-server community *** RO
snmp-server trap-source Vlan2 (management subnet)
snmp-server location 10.0.0.101 (NAM IP address)
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.0.0.101 version 2c cisco mac-notification snmp
Also, NAC added the following line on monitored interfaces:
snmp trap mac-notification change added
Is this all that is required to send MAC-change and MAC-move traps?
I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...
Hello. I'm hitting the same problem.
The command "mac-address-table notification mac-move" works fine only when the user connect and disconnects from ports on the same switch. But it doesn't work if I disconnect from switch "A" and connects to switch "B".
Do you know any solution to this problem?