Auto Tracking and Destination Role Mappings Compatibility
Auto tracking authentication should not be used in domains that use MAC to role mappings or IP to role mappings that are based on destination MAC or IP addresses. (Source address mappings do not have the same compatibility concerns.) To understand the compatibility problem, consider how role mappings and auto tracking work.
Role mappings cause all traffic bound to the destination MAC or IP addresses to be processed by the role specified in the mapping, even though the traffic is originating from a user that may be assigned a different role via authentication or the port default. Traffic sent from the user to those destinations will be processed by the role defined in the mapping. Traffic sent from the user that is not to those destinations will continue to be processed by the role that user is authenticated to or assigned via the port default.
When auto tracking is enabled, auto tracking authentication sessions are created for all traffic detected on enabled ports. If a user is assigned a role by another authentication type there will be no compatibility issue because the auto tracking authentication precedence is lower than all other authentication types. However, if a user is assigned the port default role (which has a lower precedence than all authentication types including auto tracking), and the first traffic from the user happens to be to one of the mapped destination addresses, then an auto tracking authentication session will be created with the role specified by the mapping rather than the port default role. This will cause all traffic from that user to be processed by the mapping role. Since this is not likely to be the same role as specified by the port defaults, the user may not have traffic classified in the manner expected.
For information on related tasks: