https://community.cisco.com/t5/network-access-control/3850-802-1x-new-style-multi-domain-err-disable-random/m-p/2799288#M56321 <P>Good morning,</P> <P></P> <P>I am wondering if anyone could tell me what is wrong here :</P> <P></P> <P>We have deployed the new style 802.1x policy on our 3850 but we have some strange behaviour where the port go into err-disable for security violation.</P> <P>The port are either connected to a PC, to an ip phone that is not 802.1x aware but support passthrough and sometimes with an usb docking station.</P> <P></P> <P>The switch config is as follow :</P> <P></P> <P>service-template GUEST_VLAN<BR /> vlan 99<BR />service-template CRIT_VLAN<BR /> vlan 99<BR />service-template REM_VLAN<BR /> vlan 99<BR />service-template CRIT_VLAN_IDR<BR /> vlan 118</P> <P>class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST<BR /> match result-type aaa-timeout<BR /> match authorization-status authorized<BR />!<BR />class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST<BR /> match result-type aaa-timeout<BR /> match authorization-status unauthorized<BR />!<BR />class-map type control subscriber match-all DOT1X<BR /> match method dot1x<BR />!<BR />class-map type control subscriber match-all DOT1X_FAILED<BR /> match method dot1x<BR /> match result-type method dot1x authoritative<BR />!<BR />class-map type control subscriber match-all DOT1X_MEDIUM_PRIO<BR /> match authorizing-method-priority gt 20<BR />!<BR />class-map type control subscriber match-all DOT1X_NO_RESP<BR /> match method dot1x<BR /> match result-type method dot1x agent-not-found<BR />!<BR />class-map type control subscriber match-all DOT1X_TIMEOUT<BR /> match method dot1x<BR /> match result-type method dot1x method-timeout<BR />!</P> <P><BR />policy-map type control subscriber IDR<BR /> event session-started match-all<BR /> 10 class always do-until-failure<BR /> 10 authenticate using dot1x retries 2 retry-time 0 priority 10<BR /> event authentication-failure match-first<BR /> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure<BR /> 10 activate service-template CRIT_VLAN_IDR<BR /> 20 authorize<BR /> 30 pause reauthentication<BR /> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure<BR /> 10 pause reauthentication<BR /> 20 authorize<BR /> 30 class DOT1X_TIMEOUT do-until-failure<BR /> 10 terminate dot1x<BR /> 20 activate service-template REM_VLAN<BR /> 30 authorize<BR /> 40 class DOT1X_NO_RESP do-until-failure<BR /> 10 terminate dot1x<BR /> 20 activate service-template GUEST_VLAN<BR /> 30 authorize<BR /> 50 class DOT1X_FAILED do-until-failure<BR /> 10 activate service-template REM_VLAN<BR /> 20 authorize<BR /> 60 class always do-until-failure<BR /> 10 terminate dot1x<BR /> 20 authentication-restart 20<BR /> event agent-found match-all<BR /> 10 class always do-until-failure<BR /> 10 authenticate using dot1x retries 2 retry-time 0 priority 10<BR /> event authentication-success match-all</P> <P>interface GigabitEthernet3/0/1<BR /> description #USR#IDR<BR /> switchport access vlan 118<BR /> switchport mode access<BR /> switchport nonegotiate<BR /> switchport voice vlan 213<BR /> switchport port-security maximum 10<BR /> authentication periodic<BR /> authentication timer reauthenticate 1800<BR /> access-session host-mode multi-domain<BR /> access-session port-control auto<BR /> ipv6 traffic-filter HOST_PACL in<BR /> dot1x pae authenticator<BR /> dot1x timeout quiet-period 20<BR /> dot1x timeout server-timeout 30<BR /> dot1x timeout held-period 30<BR /> spanning-tree portfast<BR /> service-policy type control subscriber IDR</P> <P>If we put the port in multi-auth, the phone is locked in booting as the switch let him go in the voice vlan but put the port in drop.</P> <P>in single-host, well the security violation is triggered as soon as we havee phone and pc in the are connected but it is expected.</P> <P>multi host is not an option as it is seen as unsecure.</P> <P></P> <P>any hint of what could be the culprit would be greatly appreciated.</P> <P></P> <P>Regards,</P> <P></P> <P>switch is running&nbsp;03.03.05SE but we tried with version 3.6 and it is the same behaviour.</P> <P></P> Mon, 11 Mar 2019 06:25:49 GMT csco10387876 2019-03-11T06:25:49Z https://community.cisco.com/t5/network-access-control/3850-802-1x-new-style-multi-domain-err-disable-random/m-p/2799288#M56321 <P>Good morning,</P> <P></P> <P>I am wondering if anyone could tell me what is wrong here :</P> <P></P> <P>We have deployed the new style 802.1x policy on our 3850 but we have some strange behaviour where the port go into err-disable for security violation.</P> <P>The port are either connected to a PC, to an ip phone that is not 802.1x aware but support passthrough and sometimes with an usb docking station.</P> <P></P> <P>The switch config is as follow :</P> <P></P> <P>service-template GUEST_VLAN<BR /> vlan 99<BR />service-template CRIT_VLAN<BR /> vlan 99<BR />service-template REM_VLAN<BR /> vlan 99<BR />service-template CRIT_VLAN_IDR<BR /> vlan 118</P> <P>class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST<BR /> match result-type aaa-timeout<BR /> match authorization-status authorized<BR />!<BR />class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST<BR /> match result-type aaa-timeout<BR /> match authorization-status unauthorized<BR />!<BR />class-map type control subscriber match-all DOT1X<BR /> match method dot1x<BR />!<BR />class-map type control subscriber match-all DOT1X_FAILED<BR /> match method dot1x<BR /> match result-type method dot1x authoritative<BR />!<BR />class-map type control subscriber match-all DOT1X_MEDIUM_PRIO<BR /> match authorizing-method-priority gt 20<BR />!<BR />class-map type control subscriber match-all DOT1X_NO_RESP<BR /> match method dot1x<BR /> match result-type method dot1x agent-not-found<BR />!<BR />class-map type control subscriber match-all DOT1X_TIMEOUT<BR /> match method dot1x<BR /> match result-type method dot1x method-timeout<BR />!</P> <P><BR />policy-map type control subscriber IDR<BR /> event session-started match-all<BR /> 10 class always do-until-failure<BR /> 10 authenticate using dot1x retries 2 retry-time 0 priority 10<BR /> event authentication-failure match-first<BR /> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure<BR /> 10 activate service-template CRIT_VLAN_IDR<BR /> 20 authorize<BR /> 30 pause reauthentication<BR /> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure<BR /> 10 pause reauthentication<BR /> 20 authorize<BR /> 30 class DOT1X_TIMEOUT do-until-failure<BR /> 10 terminate dot1x<BR /> 20 activate service-template REM_VLAN<BR /> 30 authorize<BR /> 40 class DOT1X_NO_RESP do-until-failure<BR /> 10 terminate dot1x<BR /> 20 activate service-template GUEST_VLAN<BR /> 30 authorize<BR /> 50 class DOT1X_FAILED do-until-failure<BR /> 10 activate service-template REM_VLAN<BR /> 20 authorize<BR /> 60 class always do-until-failure<BR /> 10 terminate dot1x<BR /> 20 authentication-restart 20<BR /> event agent-found match-all<BR /> 10 class always do-until-failure<BR /> 10 authenticate using dot1x retries 2 retry-time 0 priority 10<BR /> event authentication-success match-all</P> <P>interface GigabitEthernet3/0/1<BR /> description #USR#IDR<BR /> switchport access vlan 118<BR /> switchport mode access<BR /> switchport nonegotiate<BR /> switchport voice vlan 213<BR /> switchport port-security maximum 10<BR /> authentication periodic<BR /> authentication timer reauthenticate 1800<BR /> access-session host-mode multi-domain<BR /> access-session port-control auto<BR /> ipv6 traffic-filter HOST_PACL in<BR /> dot1x pae authenticator<BR /> dot1x timeout quiet-period 20<BR /> dot1x timeout server-timeout 30<BR /> dot1x timeout held-period 30<BR /> spanning-tree portfast<BR /> service-policy type control subscriber IDR</P> <P>If we put the port in multi-auth, the phone is locked in booting as the switch let him go in the voice vlan but put the port in drop.</P> <P>in single-host, well the security violation is triggered as soon as we havee phone and pc in the are connected but it is expected.</P> <P>multi host is not an option as it is seen as unsecure.</P> <P></P> <P>any hint of what could be the culprit would be greatly appreciated.</P> <P></P> <P>Regards,</P> <P></P> <P>switch is running&nbsp;03.03.05SE but we tried with version 3.6 and it is the same behaviour.</P> <P></P> Mon, 11 Mar 2019 06:25:49 GMT https://community.cisco.com/t5/network-access-control/3850-802-1x-new-style-multi-domain-err-disable-random/m-p/2799288#M56321 csco10387876 2019-03-11T06:25:49Z https://community.cisco.com/t5/network-access-control/3850-802-1x-new-style-multi-domain-err-disable-random/m-p/3338785#M56325 <P>Hi...Any Luck in Solving such issues As i am suffering from a very Similar one&nbsp;</P> <P><SPAN>Below is the&nbsp;associated discussion&nbsp;</SPAN></P> <P><SPAN>************************</SPAN></P> <P><SPAN><A href="https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548" target="_blank">https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548</A></SPAN></P> <P><SPAN>***************************</SPAN></P> <P><SPAN>Bregards</SPAN></P> Tue, 27 Feb 2018 14:41:53 GMT https://community.cisco.com/t5/network-access-control/3850-802-1x-new-style-multi-domain-err-disable-random/m-p/3338785#M56325 MEB 2018-02-27T14:41:53Z