- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: 5130 mac-authentication not detecting a device...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2016 08:54 AM
09-19-2016 08:54 AM
I'm experiencing a curious mac-auth issue, which I think is a bug but wondered if I'd missed a command. Using hybrid ports to assign vlans to mac addresses, so we can have multiple devices on different vlans through the same port. This is necessary because in many locations we're using mini-switches like the NJ5000 to provide additional connections.
Everything works just fine until a device that was plugged into a daisychained switch (be it an NJ5000 or a phone) is moved to another port on the same switch or IRF.
At this point because the original port doesn't go down, the mac-authentication doesn't detect the device has moved. It is never authenticated in the new port. When the re-auth period comes around the switch continues to authenticate the device on the old port it's no longer connected to. The mac address continues to be listed as attached to the original port, even though it's been moved.
I have raised a support ticket for this, as I think it's a bug... but let me know your thoughts.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2017 07:05 AM
04-25-2017 07:05 AM
Re: 5130 mac-authentication not detecting a device moving
Same Problem here with a HPE 1950 which are somewhat the same switches without cli interface. Clients are not re-authenticated if they move from a daisychained switch behind the mac authentication enabled port to another on a HPE 1950. It only works when the port of the HPE 1950 goes down when the client moves, but this does not happen in that case. Seems to be a Comware issue, because a Procurve or Aruba 2910 works in this setup.
Any news regarding this case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2017 08:12 AM
04-25-2017 08:12 AM
Re: 5130 mac-authentication not detecting a device moving
After a lot of chasing, this has been a lot of work... it's been labelled as a "driver issue" which has been closed as a case and passed through as a feature request. Personally that has irritated me because if a switch doesn't work as per the documentation that's a bug and should be treated as such.
My simplistic understanding of the behaviour is the mac-table appears to live partially within the vlan. So if the mac address appears on another port, it's initially in our onboarding vlan and therefore the switch seems completely blind to it. Certainly the system drivers don't detect the mac flap and trigger anything to do with the mac-auth.
It continues to be a significant headache for us with issues caused on a weekly, if not daily basis.
I've just chased this up with our HP rep to see where we're at but nothing back from development as yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 02:34 AM
04-26-2017 02:34 AM
Re: 5130 mac-authentication not detecting a device moving
Hi Legoman,
and thank you for the quick reply. Even in my humble opinion it's also clearly a bug, the switch doesn't work as expected, it makes no difference if there are more switches behind a port, a moving MAC should trigger re-authentication or should simply passed on to the new port.
For the procurve series exists a special option for this:
Allowing addresses to move without re-authentication Syntax: [no] aaa port-access mac-based [e] <port-list> [addr-moves] Allows client moves between the specified ports under MAC authenticated control. When enabled, the switch allows addresses to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one occurs, the user will be forced to re-authenticate. At least two ports (from ports and to ports) must be specified. Use the no form of the command to disable MAC address moves between ports under MAC authenticated control. Default: Disabled – no moves allowed
Even without this option the procurve switch does make a re-authentication and the MAC is validated, how it should be.
You could go more to edge, the NJ5000 should also have this feature, but your adminisrated zoo would continue to grow...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 05:57 AM
05-02-2017 05:57 AM
Re: 5130 mac-authentication not detecting a device moving
One Question: Did you try to enable the the mac-move option?
Enabling MAC move MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an authenticated 802.1X user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port. The user is reauthenticated on the new port. If MAC move is disabled and an 802.1X authenticated user moves to another port, the user is not reauthenticated. An online user cannot move between ports on a device when the number of concurrent logins using the local username reaches the limit set by using the access-limit command. As a best practice, enable MAC move for wireless users that roam between ports to access the network. To enable MAC move: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable MAC move. port-security mac-move permit By default, MAC move is disabled.
I guess there is no similar option on the HPE 1950 :-(...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 06:18 AM
05-02-2017 06:18 AM
Re: 5130 mac-authentication not detecting a device moving
Yes, tried that. In fact that excerpt from the documentation was the basis of my argument when Level-4 tried to tell me it was working as designed.
mac-move permit didn't actually do anything at all as far as I can tell. With the situation of a device moving from an intermediate switch mac-auth simply doesn't work but 802.1X always does, even though it shouldn't without mac-move permit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 07:42 AM
05-02-2017 07:42 AM
Re: 5130 mac-authentication not detecting a device moving
Ok, I'm going to open a case for my two HPE 1950 regarding this issue, maybe this starts to hot up the things a little bit...
So long!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2017 05:50 AM - edited 05-04-2017 05:56 AM
05-04-2017 05:50 AM - edited 05-04-2017 05:56 AM
Re: 5130 mac-authentication not detecting a device moving
Hi it's me again,
HPE Support told me to enable the "port-security mac-move permit" , which is undocumented and on the HPE 1950 only available in xtd-cli-mode. First tests were successful, a user MAC is re-authenticated when it moves to a new port, on the same time the switch logs that the MAC authentication user was logged off, even when the port doesn't go down, e.g. when a additonal switch is behind the port and the user. So I guess in my case i.e. for the 1950 series it does the trick, it's somewhat odd that it doesn't work on your 5130...
Greetings from Germany!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2017 07:56 AM
05-10-2017 07:56 AM
Re: 5130 mac-authentication not detecting a device moving
That's very interesting.... I believe the 1950 is based on comware5 whereas the 5130 is comware7. That further underlines it being an OS driver issue. I might have to do some tests with a comware5 device and see if it works. Just asked our HP tech contact to chase this up with the developers, see if we can get any progress.
I won't hold my breath ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2017 06:48 AM - edited 05-16-2017 06:45 AM
05-12-2017 06:48 AM - edited 05-16-2017 06:45 AM
Re: 5130 mac-authentication not detecting a device moving
CLI says my software image is 1950-cmw710-boot-r3113p05, so it should also be a Comware 7 OS....