Community
Comware Based

Re: 5130 mac-authentication not detecting a device moving

 
SOLVED
Go to solution
_biv_
HPE Pro

‎05-17-2017 03:32 AM

‎05-17-2017 03:32 AM

Re: 5130 mac-authentication not detecting a device moving

Please try this:

<SW1>sys
System View: return to User View with Ctrl+Z. 
[SW1]port-security mac-move permit 
[SW1]display port-security

Port security parameters:
   Port security          : Disabled
   AutoLearn aging time   : 0 min
   Disableport timeout    : 20 s
   MAC move               : Permited 
...[snip]...

I am an HPE Employee

Accept or Kudo

0 Kudos
Reply
dannyvanderaa
Occasional Contributor

‎05-31-2017 02:34 AM

‎05-31-2017 02:34 AM

Re: 5130 mac-authentication not detecting a device moving

We have the same problem over here.

The port-security mac-move permit was already enabled, but don't help us.

0 Kudos
Reply
dannyvanderaa
Occasional Contributor

‎05-31-2017 06:36 AM

‎05-31-2017 06:36 AM

Re: 5130 mac-authentication not detecting a device moving

Found article on Airheads:

http://community.arubanetworks.com/t5/Campus-Switching-and-Routing/issues-with-mac-move-on-a-5130-with-port-security-issues/td-p/273909

Last answer resolved our issue

Reply
legoman
Advisor

‎06-12-2017 04:00 AM

‎06-12-2017 04:00 AM

Re: 5130 mac-authentication not detecting a device moving

Yeah, the comware devs tried to suggest that as an option. It isn't a solution, but a workaround. It might be fine if you have a few vlans. We have hundreds. This doesn't scale... it also doesn't seem to work reliably either.

0 Kudos
Reply
legoman
Advisor

‎06-12-2017 04:15 AM

‎06-12-2017 04:15 AM

Re: 5130 mac-authentication not detecting a device moving

Interesting this works on the 1950... Hadn't realised they were comware7.

We've had confirmation this is a problem with the 5130. It seems to be related to the comware system drivers talking to the ASIC in the 5130 specifically. It's with the devs, who haven't managed to give our rep any feedback on when this might be fixed.

So essentially we have a 5130 bug here, which doesn't behave as per the documentation. It's causing us reputational damage now, we're very unhappy about it.... but what can you do? We're hopeful of a fix for this bug soon.

0 Kudos
Reply
legoman
Advisor

‎01-29-2018 06:54 AM

‎01-29-2018 06:54 AM

Solution

Re: 5130 mac-authentication not detecting a device moving

An old thread, but there's a conclusion!

The problem I had is something to do with the way the mac-auth works. Here's my primitive interpretation of what I think is happening (probably incorrect): When a mac address is authenticated it's placed within the vlan returned by radius. When this moves to a different port, it's then attempting to authenticate from a different vlan and that isn't possible... so nothing happens. 

This is one of the reasons why making all vlans available on a hybrid port would sort of make things work in some circumstances.

There's a new code version that we were given at the end of 2017, 3301P01, which has yet to appear on the download site.... 

This contains a feature that allows the mac-auth process to bypass the vlan check so no matter whether there's an existing auth session placing the mac in a vlan, it will do a new auth.

This does actually work, but it requires a config change. At the global level you need: port-security mac-move permit
Then at the port level: port-security mac-move bypass-vlan-check

I'm not sure when this firmware is going to hit the website, we were told it was good for production.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.