Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Can you move 802.1x authenticated device to another port and get network access%3F

This thread has been viewed 1 times

  • 1.  Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 27, 2016 07:41 PM

    Can you move a device recently authenticated using 802.1x to another port and get network access? I tested moving my laptop to another port within minutes of authenticating and I can't get on the network. The switch port does not shut down but the network card reads unplugged. I tried rebooting, same results.  The network card reads "attempting to authenticate" but fails.

    There is nothing in Clearpass  (Access Tracker) to view.

     What should be the behavior when this is performed and is this possible?



  • 2.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    EMPLOYEE
    Posted Apr 27, 2016 08:10 PM
    Yes, your device should reauthenticate. This is likely a switch
    configuration issue.



    What type of switch?


  • 3.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 27, 2016 08:19 PM
    Cisco Catalyst 4510


  • 4.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 27, 2016 08:59 PM
    Is 802.1x enabled on the other port ?

    Sent from Outlook for iPhone


  • 5.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 28, 2016 01:23 PM

    Yes it is enabled. Here is the config on the port...

      interface GigabitEthernet7/28
     switchport access vlan 1560
     switchport mode access
     authentication host-mode multi-auth
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     mab
     dot1x pae authenticator
     dot1x timeout server-timeout 7
     dot1x timeout tx-period 5
     dot1x timeout supp-timeout 5
     dot1x max-req 3
     dot1x max-reauth-req 5
     spanning-tree portfast
    end



  • 6.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 28, 2016 02:20 PM
    Are you using an IP Phone or trying to connect a laptop behind an IP Phone by any chance ?


  • 7.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    EMPLOYEE
    Posted Apr 28, 2016 03:15 PM
    If I remeber right some of the firmwares requires you to enable Mac move or disable the restriction.



    Thank you,
    Troy Arnold
    Sorry for any typos sent from my mobile


  • 8.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 29, 2016 03:49 PM

    The "authentication mac-move permit" command on the switch resolved the problem! Thanks for your help!



  • 9.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 28, 2016 03:31 PM
    Yes. My laptop works in tandem with an IP phone with no problems. When I move the laptop to its own port, I can't get access.


  • 10.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 28, 2016 03:36 PM
    Can you try change just that port to authentication host-mode multi-domain ?


  • 11.  RE: Can you move 802.1x authenticated device to another port and get network access%3F
    Best Answer

    EMPLOYEE
    Posted Apr 28, 2016 03:36 PM

    in the cli see if the following is allowed

     

    authentication mac-move permit

     

    Also enable the radius debug so you can see the auth in real time and see if the switch is throwing an error.



  • 12.  RE: Can you move 802.1x authenticated device to another port and get network access%3F

    Posted Apr 29, 2016 03:48 PM

    The "authentication mac-move permit" command on the switch resolved the problem! Thanks for your help!