NAC Reauthentication Failure vs Cisco WLC: End_System_move

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,
four Cisco WirelessLanControllers Type 4404 are using two of our NACs as RADIUS Server. Switch settings in appliance group are as follows:
  • Switch type: layer 2 Radius only
  • Auth Access Type: Manual RADIUS Configuration
  • Gateway RADIUS Attributes to send: none
  • RADIUS Accounting: Disabled
NAC determines Clients IP by DHCP packets which we redirect to NAC. When a client gets another IP address than he had before, NAC seems to trigger a reauthentication because of that address change. This reauthentication fails:
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP:141.45.214.55 The re-authentication request is being processed because the reauth reason: "END_SYSTEM_MOVE" is not for a data change.
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP:141.45.214.55 Re-authentication running for Switch: 192.168.2.6, Port : 29, Port Name : null, Port Alias: null, MAC: D0-33-11-71-5F-62, Reason: END_SYSTEM_MOVE
INFO [ReauthSnmpTask] ESDMAC:71-5F-62 Executing Reauth for MAC: D0-33-11-71-5F-62, IP: x.y.214.55 for NAS switch 192.168.2.6 switchPort 29 reason: END_SYSTEM_MOVE all sessions
DEBUG [ReauthSnmpTask] ESDMAC:71-5F-62 Not using toggle link for session: AUTH_8021X => Rejected: false shouldToggleLinkForRejectedEapTlsOnReauth: true ID: 1056617341
INFO [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Starting ToggleLink Reauthentication for: D0-33-11-71-5F-62 on port: 29
INFO [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Reauthenticating using Toggle Link for port: 29
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 using ToggleLinkSnmpWorker: IfAdminStatusToggleLinkSnmpWorker
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 The toggle link worker said that we should not toggle the port, skipping...
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Reauthentication was: *NOT* successful
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP:141.45.214.55 Re-authentication failed. Switch: 192.168.2.6, Port : 29, Port Name : null, Port Alias: null, MAC: D0-33-11-71-5F-62, Reason: END_SYSTEM_MOVE
Can I disable reauthentication when a client moves from one IP to another? It seems unneccessary since NAC was already asked for authentication some milliseconds before otherwise the wireless client couldnt have connected to the Cisco WLC.
Photo of htw

htw

  • 1,256 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,536 Points 3k badge 2x thumb

Hi ,

we have to check this issue step by step.

Please check below article and let me know if it works.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-common-tcpdump-co...

Open a GTAC case if you still have the same issue.


Thanks,

Suresh.B