12-11-2014 07:20 AM - edited 03-10-2019 10:16 PM
Hello,
I read that SNMPTraps should not be sent to ISE when using the RADIUS probe, because it will only trigger a duplicate SNMPQuery. If so, how do you support a use case whereby a device can successfully deauthorize from a switch port and authorize on another port. Is it the one of the following in exclusion of others?
1. authentication mac-move permit
2. IP device tracking
3. mac address-table notification change, mac address-table notification mac-move, snmp-server trap (global config) and snmp trap mac-notification (interface config)
I understand that for a device behind a non-cisco IP phone, CDP or LLDP or EAPOL Proxy logoff will inform the switch.
Thanks
Solved! Go to Solution.
12-16-2014 03:15 AM
mac-move permit is the solution.
12-16-2014 12:01 AM
Hi,
when using dot1x auttentication behind a phone, some vendors support EAPOL Proxy logoff and the session will be terminatet. When using MAB you need to work with idle time out for the appropriate vlan
12-16-2014 02:45 AM
Hi,
Thanks for responding. However, my question was not about MAB or dot1x behind a phone. I had already mentioned about EAPOL proxy logoff.
What I really wanted to know was about a dot1x device authorised on a switch port and then moved to another port. Do you have to add the global command authentication mac-move permit to support this or IP device tracking is enough, so that there is no port security violation.
Thanks
12-16-2014 03:15 AM
mac-move permit is the solution.
12-16-2014 08:25 AM
Ok. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide