NAC Reauthentication Failure vs Cisco WLC: End_System_move

htw — Mon, 01 Aug 2016 14:54:00 GMT

Hi,
four Cisco WirelessLanControllers Type 4404 are using two of our NACs as RADIUS Server. Switch settings in appliance group are as follows:

Switch type: layer 2 Radius only
Auth Access Type: Manual RADIUS Configuration
Gateway RADIUS Attributes to send: none
RADIUS Accounting: Disabled

NAC determines Clients IP by DHCP packets which we redirect to NAC. When a client gets another IP address than he had before, NAC seems to trigger a reauthentication because of that address change. This reauthentication fails:

DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP:141.45.214.55 The re-authentication request is being processed because the reauth reason: "END_SYSTEM_MOVE" is not for a data change.
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP:141.45.214.55 Re-authentication running for Switch: 192.168.2.6, Port : 29, Port Name : null, Port Alias: null, MAC: D0-33-11-71-5F-62, Reason: END_SYSTEM_MOVE
INFO [ReauthSnmpTask] ESDMAC:71-5F-62 Executing Reauth for MAC: D0-33-11-71-5F-62, IP: x.y.214.55 for NAS switch 192.168.2.6 switchPort 29 reason: END_SYSTEM_MOVE all sessions
DEBUG [ReauthSnmpTask] ESDMAC:71-5F-62 Not using toggle link for session: AUTH_8021X => Rejected: false shouldToggleLinkForRejectedEapTlsOnReauth: true ID: 1056617341
INFO [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Starting ToggleLink Reauthentication for: D0-33-11-71-5F-62 on port: 29
INFO [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Reauthenticating using Toggle Link for port: 29
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 using ToggleLinkSnmpWorker: IfAdminStatusToggleLinkSnmpWorker
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 The toggle link worker said that we should not toggle the port, skipping...
DEBUG [ToggleLinkReauthenticationSnmpWorker] ESDMAC:71-5F-62 Reauthentication was: *NOT* successful
DEBUG [ReauthTask] ESDMAC:71-5F-62,ESDIP:141.45.214.55 Re-authentication failed. Switch: 192.168.2.6, Port : 29, Port Name : null, Port Alias: null, MAC: D0-33-11-71-5F-62, Reason: END_SYSTEM_MOVE

Can I disable reauthentication when a client moves from one IP to another? It seems unneccessary since NAC was already asked for authentication some milliseconds before otherwise the wireless client couldnt have connected to the Cisco WLC.

RE: NAC Reauthentication Failure vs Cisco WLC: End_System_move

Bharathiraja__S — Tue, 16 Aug 2016 12:06:00 GMT

Hi ,

we have to check this issue step by step.

Please check below article and let me know if it works.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-common-tcpdump-co...

Open a GTAC case if you still have the same issue.

Thanks,

Suresh.B

topic RE: NAC Reauthentication Failure vs Cisco WLC: End_System_move in ExtremeWireless (General)

NAC Reauthentication Failure vs Cisco WLC: End_System_move

RE: NAC Reauthentication Failure vs Cisco WLC: End_System_move