802.1X Authentication issues when moving between switch ports

Grant McBride · ‎01-21-2015

Hi Guys,

We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?

My configuration we have on the switch ports look as follows:

authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

dot1x pae authenticator

Your help is greatly appreciated.

Grant

nspasov · ‎01-22-2015

Grant-

authentication mac-move permit only

Only affects ports/sessions on that switch:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/command/reference/3750cr/cli1.html#wp12015821

Can you:

- Post your Radius and entire switchport config

- Tell us the model of the switch and the version of code that is running

- The type of Radius server that you are using

- Provide output from

debug radius authentication

Thank you for rating helpful posts!

Grant McBride · ‎01-23-2015

Hi Neno,

Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.

Here is the config:

aaa group server radius customer-nps
server name radius1
server name radius2

aaa authentication dot1x default group radius

dot1x system-auth-control

radius server radius1
address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
key 7 05392415365959251C283630083D2F0B3B2E22253A
!
radius server radius2
address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
key 7 107C2B031202052709290B092719181432190D000C

interface GigabitEthernet1/0/1
switchport access vlan 300
switchport mode access
switchport voice vlan 2
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
auto qos trust cos
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
spanning-tree bpdufilter enable
!

Grant McBride · ‎01-23-2015

I have configured the "authentication violation replace" command on all the switches and now I no longer get an authentication issue. It seems the switch put the port into an err-disabled state for some reason. I assume it's because it already has an authentication session for another MAC on that port or because it sees your MAC is authenticated on another port.

%PM-4-ERR_DISABLE_VP: security-violation error detected on Gi1/0/46, vlan 300. Putting in err-disable state.

nspasov · ‎01-24-2015

Good job on finding out a solution to your problem and thank you for taking the time to come back here and post the solution (+5 from me).

Real quick, I suspect that if you changed your port to authentication host-mode multi-host then the issue would probably go away. Then you can change the security to authentication violation restrict.

Nonetheless, your solution is also valid! So if your issue is resolved, please mark the thread as "answered" :)