I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
This is what I did to replicate the issue, in detail:
1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
These two commands would enable mac-move:
mac-address-table notification mac-move
snmp-server enable traps mac-notification change move