Re: NAC L3 OOB - Online Users not correct

paul.l.kyte · ‎04-23-2008

I'm testing a NAC 4.1.3 L3 OOB Real IP configuration and have come across an anomaly. Can someone help please.

I have configured two switches to be managed by NAC and have configured a role for Web Authentication and set all ports to be controlled.

When I connect a PC to switch 1 and authenticate all works well and the View Online Users displays the PC/role/Switch Port correctly.

I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!

Looking at switch 1, it has moved the port I was connected to the VLAN it should be after authentication. This should have been done to the port I'm now on at the Switch 2!

MAc notifications are used and Linkup/downs are enabled on the switches. They are not stacked. When disconnecting from the switches it correctly removes me from the online users. After authentication on the new switch it puts me back on the original switch where I was!!!!!!

This is most infuriating, it means the product is useless if I have users moving from one desk to another ending up on a different switch where they will no longer be able to work as they cannot get past authentication.

All help is gratefully received.

Thanks,

Paul Kyte

gojericho0 · ‎04-24-2008

Hi Paul,

Could you take a screen shot of your current port profiles for each switch? Switch Management ->Profiles -> Port Profiles

Do both these switches and hosts connected to them belong to the same network?

dosic · ‎04-30-2008

Hi, Paul

>>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!

Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

mmckalli · ‎05-01-2008

Paul,

I'm having the same issue. Have you resolved it yet? If so could you pass on the info.

Let me know.

Thanks,

MSM

paul.l.kyte · ‎06-03-2008

Hi there,

I overcame this problem by configuring the switches to notify me of a mac move.

I configured the following on ALL switches:

mac-address-table notification mac-move

Regards,

Paul

tj.mitchell · ‎06-03-2008

It's not working properly because the device still thinks your logged in but it getting the information from a different switch so it doesn't know what to do. I have run across this during testing and in production it worked fine because people are plugging from one switch to another with in seconds.

You will need to boot yourself off from the authenticated users, then you shouldn't have the problem.

HTH..

pls rate if this was helpful.

dosic · ‎06-03-2008

Paul,

I've understand your problem)) have the same one.

Try to run the following command on the switch: clear mac-add dynamic

This helps me.

And you can limir the mac-address aging time by the command

mac-address-table aging-time