https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221722#M111558 <HTML><HEAD></HEAD><BODY><P>Hi Eng.malak, </P><P></P><P>The port config provided by you the interface GigabitEthernet1/0/2 is configured for MDA that means an IP phone and a single host behind the IP phone are authenticated independently, even though both the IP phone and host machine are connected to a single switch port on the switch. If more than once device is detected in either domain, a security violation will be triggered. This can be a problem when a phone fails to authenticate properly. If a phone fails authentication, then the switch does not receive the "device-traffic-class=voice" VSA from the radius server and the switch will assume that the failed device was in the data domain. However if there is already a data device behind the phone, there will be now 2 devices in the data domain, and a security violation is triggered.&nbsp; On this port only 2 MAC addresses are allowed. The switch place the client machine in a data vlan and the IP phone in a voice vlan.&nbsp; </P><P></P><P>Configure the violation mode. The keywords have these meanings:</P><P></P><P> <STRONG>authentication violation shutdown | restrict | protect | replace} </STRONG></P><P></P><P>•shutdown-Error disable the port.</P><P>•restrict-Generate a syslog error.</P><P>•protect-Drop packets from any new device that sends traffic to the port.</P><P>•replace-Removes the current session and authenticates with the new host.</P><H5><SPAN style="color: #333333;">Configuring 802.1x Violation Modes </SPAN></H5><P><SPAN> </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1324086" rel="nofollow">http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1324086</A></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Tue, 16 Jul 2013 13:15:17 GMT Jatin Katyal 2013-07-16T13:15:17Z https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221719#M111412 <P><BR />Dears<BR />After configuring DOT1x on access ports , some ports show error disabled without enabling the port-security , is their any way to increase the number of MAC addresses allowed on the port ? , is it possible to disable this feature<BR /><BR /><BR />Sent from Cisco Technical Support iPhone App</P> Mon, 11 Mar 2019 03:39:14 GMT https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221719#M111412 eng.malak 2019-03-11T03:39:14Z https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221720#M111433 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Sent us the show run commands of interfaces.</P><P></P><P>Cheers</P><P>Pankaj</P></BODY></HTML> Tue, 16 Jul 2013 07:57:55 GMT https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221720#M111433 pankaj29in 2013-07-16T07:57:55Z https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221721#M111495 <HTML><HEAD></HEAD><BODY><P>here you are </P><P></P><P>interface GigabitEthernet1/0/2</P><P> switchport mode access</P><P> switchport voice vlan 91</P><P> authentication event fail action next-method</P><P> authentication event server dead action reinitialize vlan 184</P><P> authentication event server dead action authorize voice</P><P> authentication host-mode multi-domain</P><P> authentication order mab dot1x</P><P> authentication priority dot1x mab</P><P> authentication port-control auto</P><P> mab</P><P> dot1x pae authenticator</P><P> spanning-tree portfast</P></BODY></HTML> Tue, 16 Jul 2013 08:05:53 GMT https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221721#M111495 eng.malak 2013-07-16T08:05:53Z https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221722#M111558 <HTML><HEAD></HEAD><BODY><P>Hi Eng.malak, </P><P></P><P>The port config provided by you the interface GigabitEthernet1/0/2 is configured for MDA that means an IP phone and a single host behind the IP phone are authenticated independently, even though both the IP phone and host machine are connected to a single switch port on the switch. If more than once device is detected in either domain, a security violation will be triggered. This can be a problem when a phone fails to authenticate properly. If a phone fails authentication, then the switch does not receive the "device-traffic-class=voice" VSA from the radius server and the switch will assume that the failed device was in the data domain. However if there is already a data device behind the phone, there will be now 2 devices in the data domain, and a security violation is triggered.&nbsp; On this port only 2 MAC addresses are allowed. The switch place the client machine in a data vlan and the IP phone in a voice vlan.&nbsp; </P><P></P><P>Configure the violation mode. The keywords have these meanings:</P><P></P><P> <STRONG>authentication violation shutdown | restrict | protect | replace} </STRONG></P><P></P><P>•shutdown-Error disable the port.</P><P>•restrict-Generate a syslog error.</P><P>•protect-Drop packets from any new device that sends traffic to the port.</P><P>•replace-Removes the current session and authenticates with the new host.</P><H5><SPAN style="color: #333333;">Configuring 802.1x Violation Modes </SPAN></H5><P><SPAN> </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1324086" rel="nofollow">http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1324086</A></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Tue, 16 Jul 2013 13:15:17 GMT https://community.cisco.com/t5/network-access-control/ise-error-disable-interface/m-p/2221722#M111558 Jatin Katyal 2013-07-16T13:15:17Z