Description
This article describes the hosts connected to Brocade switch using RADIUS MAC Authentication do not change VLANs after a successful registration.
If the host's entry is removed from the switch's session table, the VLAN will switch.
Scope
Version: 8.6.1
Solution
Workaround.
A change can be made in the CLI to execute the proper commands to de-authenticate the host. Contact Support for assistance.
Note the following:
- These modifications must be made after each appliance upgrade
- Changes must be performed in both primary and secondary Control Servers in High Availability configurations
- Changes must be performed on all pods managing the Brocade switches
1) Edit the /bsc/campusMgr/master_loader/telnetMibs/fastiron.mib file in the Control Server CLI.
Change:
clear dot1x mac-session
To:
clear authentication sessions
Change:
clear auth-mac-table mac-session
To:
clear authentication sessions
2) Create README in /bsc/campusMgrUpdates with the following content:
---------------------------------------------------------------------------
Ticket <FortiCare ticket number> <Date> <support eng initials>
Addresses NAC not de-authing the client properly to change VLANs.
The following must be done for:
- Primary and secondary Control Servers in High Availability configurations
- All pods managing the Brocade switches
1) Edit the /bsc/campusMgr/master_loader/telnetMibs/fastiron.mib file in the Control Server CLI.
Change:
clear dot1x mac-session
To
clear authentication sessions
Change:
clear auth-mac-table mac-session
To
clear authentication sessions
2) Save the file.
