Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Can you move 802.1x authenticated device to another port and get network access%3F

Can you move a device recently authenticated using 802.1x to another port and get network access? I tested moving my laptop to another port within minutes of authenticating and I can't get on the network. The switch port does not shut down but the network card reads unplugged. I tried rebooting, same results.  The network card reads "attempting to authenticate" but fails.

There is nothing in Clearpass  (Access Tracker) to view.

 What should be the behavior when this is performed and is this possible?

Guru Elite
Posts: 8,053
Registered: ‎09-08-2010

Re: Can you move 802.1x authenticated device to another port and get network access%3F

Yes, your device should reauthenticate. This is likely a switch
configuration issue.



What type of switch?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Re: Can you move 802.1x authenticated device to another port and get network access%3F

Cisco Catalyst 4510
MVP
Posts: 4,124
Registered: ‎07-20-2011

Re: Can you move 802.1x authenticated device to another port and get network access?

Is 802.1x enabled on the other port ?

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Re: Can you move 802.1x authenticated device to another port and get network access?

Yes it is enabled. Here is the config on the port...

  interface GigabitEthernet7/28
 switchport access vlan 1560
 switchport mode access
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout server-timeout 7
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 dot1x max-req 3
 dot1x max-reauth-req 5
 spanning-tree portfast
end

MVP
Posts: 4,124
Registered: ‎07-20-2011

Re: Can you move 802.1x authenticated device to another port and get network access?

Are you using an IP Phone or trying to connect a laptop behind an IP Phone by any chance ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Can you move 802.1x authenticated device to another port and get network access?

If I remeber right some of the firmwares requires you to enable Mac move or disable the restriction.



Thank you,
Troy Arnold
Sorry for any typos sent from my mobile
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Re: Can you move 802.1x authenticated device to another port and get network access%3F

Yes. My laptop works in tandem with an IP phone with no problems. When I move the laptop to its own port, I can't get access.
Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Can you move 802.1x authenticated device to another port and get network access%3F

in the cli see if the following is allowed

 

authentication mac-move permit

 

Also enable the radius debug so you can see the auth in real time and see if the switch is throwing an error.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 4,124
Registered: ‎07-20-2011

Re: Can you move 802.1x authenticated device to another port and get network access%3F

Can you try change just that port to authentication host-mode multi-domain ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: