cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2496
Views
0
Helpful
2
Replies

802.1X issues on Cisco switch when connected to VoIP phone passthrough or unmanaged switch

jonatan.sitter
Level 1
Level 1

Hi there,

i've been dealing with a really weird issue lately.
We have a Cisco Catalyst 3850P-S running 03.06.08 and authenticating via dot1x on Aruba Clearpass.
Almost all of our workstations are connected through the VoIP phones to reduce the needed switch ports.
Recently I've noticed that a device connected and authenticated in this scenario stays "visible" on the switch port even if it's unplugged from the phone. The same happens with a unmanaged / dumb switch connected.

The port configuration looks like this:

switchport access vlan 10
switchport mode access
switchport voice vlan 50
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable

Example:
I'm working on my desk, my laptop connected via ethernet through my phone. Now I need to go to a meeting and take my laptop with me. When trying to connect my laptop in the meeting room via ethernet, my device only get's a 169.254.x.x IP address and my MAC address isn't visible on the new switch port. When looking for it using show mac address-table | inc MAC, I still see the address on the switch port my VoIP phone on my desk is connected to.

I know that it is a really weird issue and I hope that I explained it somewhat comprehensible.
My question is if it's a Cisco, VoIP phone or Clearpass issue.

Thanks in advance!

1 Accepted Solution

Accepted Solutions

jonatan.sitter
Level 1
Level 1

I figured it out.

There is a global command "mac-move permit" which solved the described issue for me.

View solution in original post

2 Replies 2

aukhadiev
Level 1
Level 1

Hi,
also faced with this issue, in my case it's VoIP phone issue...
The phone has its own switch in it and is holding the mac until reboot...

jonatan.sitter
Level 1
Level 1

I figured it out.

There is a global command "mac-move permit" which solved the described issue for me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco