cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2349
Views
0
Helpful
4
Replies

Cisco ISE MAC Move and host movement

grabonlee
Level 4
Level 4

Hello,

I read that SNMPTraps should not be sent to ISE when using the RADIUS probe, because it will only trigger a duplicate SNMPQuery. If so, how do you support a use case whereby a device can successfully deauthorize from a switch port and authorize on another port. Is it the one of the following in exclusion of others?

1. authentication mac-move permit

2. IP device tracking

3. mac address-table notification change, mac address-table notification mac-move, snmp-server trap (global config) and snmp trap mac-notification (interface config)

 

I understand that for a device behind a non-cisco IP phone, CDP or LLDP or EAPOL Proxy logoff will inform the switch.

 

Thanks

1 Accepted Solution

Accepted Solutions

mac-move permit is the solution.

View solution in original post

4 Replies 4

hdussa
Level 1
Level 1

Hi,

when using dot1x auttentication behind a phone, some vendors support EAPOL Proxy logoff and the session will be terminatet. When using MAB you need to work with idle time out for the appropriate vlan

 

 

Hi,

Thanks for responding. However, my question was not about MAB or dot1x behind a phone. I had already mentioned about EAPOL proxy logoff.

What I really wanted to know was about a dot1x device authorised on a switch port and then moved to another port. Do you have to add the global command authentication mac-move permit to support this or IP device tracking is enough, so that there is no port security violation.

 

Thanks

mac-move permit is the solution.

Ok. Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: