NAC Reauthentication Failure vs Cisco WLC: End_System_move

Userlevel 3
four Cisco WirelessLanControllers Type 4404 are using two of our NACs as RADIUS Server. Switch settings in appliance group are as follows:
  • Switch type: layer 2 Radius only
  • Auth Access Type: Manual RADIUS Configuration
  • Gateway RADIUS Attributes to send: none
  • RADIUS Accounting: Disabled
NAC determines Clients IP by DHCP packets which we redirect to NAC. When a client gets another IP address than he had before, NAC seems to trigger a reauthentication because of that address change. This reauthentication fails:

DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP: The re-authentication request is being processed because the reauth reason: "END_SYSTEM_MOVE" is not for a data change.
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP: Re-authentication running for Switch:, Port : 29, Port Name : null, Port Alias: null, MAC: D0-33-11-71-5F-62, Reason: END_SYSTEM_MOVE
INFO [ReauthSnmpTask] ESDMAC:71-5F-62 Executing Reauth for MAC: D0-33-11-71-5F-62, IP: x.y.214.55 for NAS switch switchPort 29 reason: END_SYSTEM_MOVE all sessions
DEBUG [ReauthSnmpTask] ESDMAC:71-5F-62 Not using toggle link for session: AUTH_8021X => Rejected: false shouldToggleLinkForRejectedEapTlsOnReauth: true ID: 1056617341
INFO [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Starting ToggleLink Reauthentication for: D0-33-11-71-5F-62 on port: 29
INFO [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Reauthenticating using Toggle Link for port: 29
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 using ToggleLinkSnmpWorker: IfAdminStatusToggleLinkSnmpWorker
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 The toggle link worker said that we should not toggle the port, skipping...
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Reauthentication was: *NOT* successful
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP: Re-authentication failed. Switch:, Port : 29, Port Name : null, Port Alias: null, MAC: D0-33-11-71-5F-62, Reason: END_SYSTEM_MOVE

Can I disable reauthentication when a client moves from one IP to another? It seems unneccessary since NAC was already asked for authentication some milliseconds before otherwise the wireless client couldnt have connected to the Cisco WLC.

1 reply

Userlevel 4
Hi ,

we have to check this issue step by step.

Please check below article and let me know if it works.

Open a GTAC case if you still have the same issue.