Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2640
Views
1
Helpful
9
Replies

802.1x port security violation with authentication host-mode multi-domain

Majed Zouhairy
Level 1
Level 1

‎09-26-2017 04:28 AM - edited ‎03-17-2019 11:14 AM

Peace, i want to use 802.1x for voice and data, but when ever i configure

authentication host-mode multi-domain

the port becomes error disabled with reason security, which is 802.1x

if i switch it to

authentication host-mode multi-host

then the port stays up but the ip phone bypasses the authentication.

here is the port configuration:
interface GigabitEthernet1/0/25
description test
switchport access vlan 21
switchport mode access
switchport voice vlan 20
authentication host-mode multi-domain
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable

 

ios version:

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2a)EX5, RELEASE SOFTWARE (fc3)

is it a bug or a misconfiguration?

2 people had this problem
Labels:
0 Helpful
9 Replies 9

Mohammed al Baqari
Level 11
Level 11

‎09-26-2017 06:22 AM

What is connected behind this port. Multi-Domain will allow single MAC for data and single MAC for voice. If you have VMs running or softphone it will cause error

Majed Zouhairy
Level 1
Level 1
In response to Mohammed al Baqari

‎09-26-2017 06:58 AM

well i know that multi-domain is used for voip and so i configured it with a ip phone and a pc.

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Majed Zouhairy

‎09-26-2017 10:00 AM

But what I said that you need to verify how many macs are beind the port per vlan. It will allow one mac per vlan
0 Helpful

Majed Zouhairy
Level 1
Level 1
In response to Mohammed al Baqari

‎09-27-2017 07:31 AM

Well it seems you do not know that the ip phone appears in the data vlan also. so perhaps the problem is that there are 3 macs?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Majed Zouhairy

‎09-27-2017 08:27 AM

Ip phones shouldn't appear in voice vlan if it's configured in the switch port unless I am missing something 
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Mohammed al Baqari

‎09-27-2017 10:01 AM

Kust to confirm, are you using cisco ip phone
0 Helpful

Majed Zouhairy
Level 1
Level 1
In response to Mohammed al Baqari

‎09-28-2017 02:01 AM

since cdp is enabled, you can conclude it is a cisco phone.

check this out:
skorini-48-2960X#sh mac address-table interface g1/0/25
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  20    2c0b.e914.3872    DYNAMIC     Gi1/0/25
  21    2c0b.e914.3872    DYNAMIC     Gi1/0/25
  21    c46e.1f15.8009    DYNAMIC     Gi1/0/25
Total Mac Addresses for this criterion: 3

0 Helpful

Majed Zouhairy
Level 1
Level 1
In response to Majed Zouhairy

‎10-01-2017 11:54 PM

what is bewildering, is that, the phone gets authenticated on the data vlan:
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  20    2c0b.e914.3872    DYNAMIC     Drop
  21    2c0b.e914.3872    STATIC      Gi1/0/25
  21    c46e.1f15.8009    DYNAMIC     Drop

before the prot gets error diabled.

0 Helpful

MEB
Level 1
Level 1

‎02-27-2018 06:55 AM

Hi...Any Luck in Solving such issues As i am suffering from a very Similar one 

Below is the associated discussion 

************************

https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548

***************************

Bregards

0 Helpful
Customers Also Viewed These Support Documents