8021X Security Violation after Radius Access-Accept

JHaynes4B — Mon, 11 Mar 2019 06:49:28 GMT

Hi,

I am running a POC to enable DOT1X on our switches. We are using certificates on the laptops and a Cisco ACS server running 5.8.1.

We get to the point where the ACS server sends an Access-Accept to the switch for the DOT1X request but then the port goes into error disable with an error it found a new mac-address on the port and yet it is the mac-address of the device it just authenticated.

Here are the relevant portions of the debugs:

*****************************************************************************************************

May 31 09:53:04.619: RADIUS: Received from id 1645/133 10.5.20.230:1645, Access-Accept, len 205

*****************************************************************************************************

May 31 09:53:04.619: RADIUS: authenticator 1A C2 2A F6 62 34 59 20 - 3D EA 68 E1 B8 67 53 FB
May 31 09:53:04.619: RADIUS: User-Name           [1]   11 "UB-HY-002"
May 31 09:53:04.619: RADIUS: Class               [25] 34
May 31 09:53:04.619: RADIUS:   43 41 43 53 3A 53 57 2D 41 43 53 2D 31 31 32 31 [CACS:SW-ACS-1121]
May 31 09:53:04.619: RADIUS:   2F 32 35 33 38 39 37 39 34 32 2F 35 39 32 35 37 [/253897942/59257]
May 31 09:53:04.619: RADIUS: EAP-Message         [79] 6
May 31 09:53:04.619: RADIUS:   03 F2 00 04                                      [????]
May 31 09:53:04.619: RADIUS: Message-Authenticato[80] 18
May 31 09:53:04.628: RADIUS:   E9 1B CB 87 77 1A A2 CE E0 30 61 C1 0D 2A E1 F0 [????w????0a??*??]
May 31 09:53:04.628: RADIUS: Vendor, Microsoft   [26] 58
May 31 09:53:04.628: RADIUS:   MS-MPPE-Send-Key   [16] 52 *
May 31 09:53:04.628: RADIUS: Vendor, Microsoft   [26] 58
May 31 09:53:04.628: RADIUS:   MS-MPPE-Recv-Key   [17] 52 *
May 31 09:53:04.628: RADIUS(00000002): Received from id 1645/133
May 31 09:53:04.628: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

*************************************************************************************************************************

May 31 09:53:04.628: dot1x-packet:Received an EAP Success on the FastEthernet0/24 for mac 5882.a895.510b
May 31 09:53:04.628: dot1x-sm:Posting EAP_SUCCESS on Client=1A3DFE8
May 31 09:53:04.628:     dot1x_auth_bend Fa0: during state auth_bend_response, got event 11(eapSuccess)
May 31 09:53:04.628: @@@ dot1x_auth_bend Fa0: auth_bend_response -> auth_bend_success
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_response_exit called
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_success_enter called
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_response_success_action called
May 31 09:53:04.628:     dot1x_auth_bend Fa0: idle during state auth_bend_success
May 31 09:53:04.628: @@@ dot1x_auth_bend Fa0: auth_bend_success -> auth_bend_idle
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_idle_enter called
May 31 09:53:04.628: dot1x-sm:Posting AUTH_SUCCESS on Client=1A3DFE8
May 31 09:53:04.628:     dot1x_auth Fa0: during state auth_authenticating, got event 12(authSuccess_portValid)
May 31 09:53:04.628: @@@ dot1x_auth Fa0: auth_authenticating -> auth_authc_result
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_authenticating_exit called
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_authc_result_enter called

**************************************************************************************************************************

May 31 09:53:04.628: %DOT1X-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/24, new MAC address 5882.a895.510b is seen.
May 31 09:53:04.628: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/24, putting Fa0/24 in err-disable state

This is the dot1x configuration from the switch and the port we are testing are as follows:

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

interface FastEthernet0/24
switchport access vlan 420
switchport mode access
switchport voice vlan 321
snmp trap mac-notification added
snmp trap mac-notification removed
snmp trap link-status permit duplicates
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout tx-period 3
spanning-tree portfast

Any help would be appreciated. Thanks in advance.

Jim

Hi Jim, how many devices are

nspasov — Thu, 02 Jun 2016 18:08:17 GMT

Hi Jim, how many devices are being connected on that switch port? Also, are you perhaps using a docking station with the laptop?

You can try running multi-auth instead of multi-domain and see if that fixes the problem

authentication host-mode multi-auth

Thank you for rating helpful posts!

Hi Neno,

JHaynes4B — Thu, 02 Jun 2016 18:28:04 GMT

Hi Neno,

Turns out we needed to do a code upgrade to address some bug issues. Once we did it started to work. I appreciate the help.

Thanks,

Jim

Ah good to hear! Any chance

nspasov — Thu, 02 Jun 2016 18:35:10 GMT

Ah good to hear! Any chance you can post:

1. Bug that you were facing (if known)

2. Version of code that was affected

3. Version of code that you upgraded to

Thank you for rating helpful posts!

Sure,

JHaynes4B — Thu, 02 Jun 2016 18:45:55 GMT

Sure,

the bug was unknown and we went from code:

c2960-lanbasek9-mz.122-35.SE to 12.2(55)SE10

Oh yeah, the (55) train is

nspasov — Thu, 02 Jun 2016 19:16:19 GMT

Oh yeah, the (55) train is the way to go if you are not on 15.x. Thank you for taking the time to provide the solution to the problem! (+5 from me)

Now, since your issue is resolved, you should mark the thread as "answered" 🙂

topic Hi Neno, in Network Access Control

8021X Security Violation after Radius Access-Accept

Hi Jim, how many devices are

Hi Neno,

Ah good to hear! Any chance

Sure,

Oh yeah, the (55) train is