This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I read that SNMPTraps should not be sent to ISE when using the RADIUS probe, because it will only trigger a duplicate SNMPQuery. If so, how do you support a use case whereby a device can successfully deauthorize from a switch port and authorize on another port. Is it the one of the following in exclusion of others?
1. authentication mac-move permit
2. IP device tracking
3. mac address-table notification change, mac address-table notification mac-move, snmp-server trap (global config) and snmp trap mac-notification (interface config)
I understand that for a device behind a non-cisco IP phone, CDP or LLDP or EAPOL Proxy logoff will inform the switch.
Solved! Go to Solution.
when using dot1x auttentication behind a phone, some vendors support EAPOL Proxy logoff and the session will be terminatet. When using MAB you need to work with idle time out for the appropriate vlan
Thanks for responding. However, my question was not about MAB or dot1x behind a phone. I had already mentioned about EAPOL proxy logoff.
What I really wanted to know was about a dot1x device authorised on a switch port and then moved to another port. Do you have to add the global command authentication mac-move permit to support this or IP device tracking is enough, so that there is no port security violation.