A 5130 switch is configured to do 802.1X and Mac-authentication on all ports.
One of these ports is connected to an unmanaged switch (HP 1410).
Behind the unmanaged switch is one laptop and one printer connected.
- Laptop is doing 802.1X with certificates
- Printer is doing Mac-Authentication
current config of the 5130 switch:
Global:
- dot1x authentication-method eap
- mac-authentication domain system
- port-security enable
- port-security mac-move permit
Per Port:
- undo enable snmp trap updown
- port link-type hybrid
- port hybrid vlan 1 untagged
- mac-vlan enable
- poe enable
- undo dot1x handshake
- undo dot1x multicast-trigger
- dot1x critical vlan 2
- dot1x re-authenticate server-unreachable keep-online
- mac-authentication re-authenticate server-unreachable keep-online
- mac-authentication guest-vlan 3
- mac-authentication guest-vlan auth-period 300
- mac-authentication critical vlan 2
- port-security port-mode userlogin-secure-or-mac-ext
- loopback-detection action shutdown
When I move these clients and connect them directly to the 5130 switch mac-move is NOT triggered.
Important: the unmanaged switch is not disconnected from the 5130!
HPE advices to enable "mac-vlan trigger" on each port;
- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03734767
This seems to work great for 802.1X clients, but not at all for MAC-Authenticated clients.
802.1X Client (Laptop): (mac-vlan trigger enabled)
- Client connects to port
- Client reauthenticates
- Switch logs of the old session and deletes old mactable-entry of the old port
- Switch Creates new session and creates new mactable-entry on the new port
Mac-authenticated Client (Printer):
- Client connects to port
- Switch wait to mac-address to time-out and offline-detect (15 min.) to kick-in and logs off current session and mactable-entry of the old port
- With mac-vlan trigger enabled
- Switch learnes MAC-address and creates mactable-entry instead of doing radius reauthentication.
- With mac-vlan trigger disabled
- Switch triggers radius reauthentication
- Switch creates new session and creates new mactable-entry
So my issue:
I need mac-move for both authentication methods to work.
- direct move to other port
- re-authentication at all time