Comware Based
1748335 Members
3568 Online
108762 Solutions
New Discussion юеВ

Re: 5130 mac-authentication not detecting a device moving

 
SOLVED
Go to solution
_biv_
HPE Pro

Re: 5130 mac-authentication not detecting a device moving

Please try this:

<SW1>sys
System View: return to User View with Ctrl+Z. 
[SW1]port-security mac-move permit 
[SW1]display port-security

Port security parameters:    Port security          : Disabled    AutoLearn aging time   : 0 min    Disableport timeout    : 20 s    MAC move               : Permited ...[snip]...

I am an HPE Employee

Accept or Kudo

dannyvanderaa
Occasional Contributor

Re: 5130 mac-authentication not detecting a device moving

We have the same problem over here.

The port-security mac-move permit was already enabled, but don't help us.

dannyvanderaa
Occasional Contributor

Re: 5130 mac-authentication not detecting a device moving

legoman
Advisor

Re: 5130 mac-authentication not detecting a device moving

Yeah, the comware devs tried to suggest that as an option. It isn't a solution, but a workaround. It might be fine if you have a few vlans. We have hundreds. This doesn't scale... it also doesn't seem to work reliably either.

legoman
Advisor

Re: 5130 mac-authentication not detecting a device moving

Interesting this works on the 1950... Hadn't realised they were comware7.

We've had confirmation this is a problem with the 5130. It seems to be related to the comware system drivers talking to the ASIC in the 5130 specifically. It's with the devs, who haven't managed to give our rep any feedback on when this might be fixed.

So essentially we have a 5130 bug here, which doesn't behave as per the documentation. It's causing us reputational damage now, we're very unhappy about it.... but what can you do? We're hopeful of a fix for this bug soon.

legoman
Advisor
Solution

Re: 5130 mac-authentication not detecting a device moving

An old thread, but there's a conclusion!

The problem I had is something to do with the way the mac-auth works. Here's my primitive interpretation of what I think is happening (probably incorrect): When a mac address is authenticated it's placed within the vlan returned by radius. When this moves to a different port, it's then attempting to authenticate from a different vlan and that isn't possible... so nothing happens. 

This is one of the reasons why making all vlans available on a hybrid port would sort of make things work in some circumstances.

There's a new code version that we were given at the end of 2017, 3301P01, which has yet to appear on the download site.... 

This contains a feature that allows the mac-auth process to bypass the vlan check so no matter whether there's an existing auth session placing the mac in a vlan, it will do a new auth.

This does actually work, but it requires a config change. At the global level you need: port-security mac-move permit
Then at the port level: port-security mac-move bypass-vlan-check

I'm not sure when this firmware is going to hit the website, we were told it was good for production.