Re: 3850 802.1x new style, multi domain err-disable random

csco10387876 · ‎01-27-2016

Good morning,

I am wondering if anyone could tell me what is wrong here :

We have deployed the new style 802.1x policy on our 3850 but we have some strange behaviour where the port go into err-disable for security violation.

The port are either connected to a PC, to an ip phone that is not 802.1x aware but support passthrough and sometimes with an usb docking station.

The switch config is as follow :

service-template GUEST_VLAN
vlan 99
service-template CRIT_VLAN
vlan 99
service-template REM_VLAN
vlan 99
service-template CRIT_VLAN_IDR
vlan 118

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!

policy-map type control subscriber IDR
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRIT_VLAN_IDR
20 authorize
30 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_TIMEOUT do-until-failure
10 terminate dot1x
20 activate service-template REM_VLAN
30 authorize
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 activate service-template GUEST_VLAN
30 authorize
50 class DOT1X_FAILED do-until-failure
10 activate service-template REM_VLAN
20 authorize
60 class always do-until-failure
10 terminate dot1x
20 authentication-restart 20
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all

interface GigabitEthernet3/0/1
description #USR#IDR
switchport access vlan 118
switchport mode access
switchport nonegotiate
switchport voice vlan 213
switchport port-security maximum 10
authentication periodic
authentication timer reauthenticate 1800
access-session host-mode multi-domain
access-session port-control auto
ipv6 traffic-filter HOST_PACL in
dot1x pae authenticator
dot1x timeout quiet-period 20
dot1x timeout server-timeout 30
dot1x timeout held-period 30
spanning-tree portfast
service-policy type control subscriber IDR

If we put the port in multi-auth, the phone is locked in booting as the switch let him go in the voice vlan but put the port in drop.

in single-host, well the security violation is triggered as soon as we havee phone and pc in the are connected but it is expected.

multi host is not an option as it is seen as unsecure.

any hint of what could be the culprit would be greatly appreciated.

Regards,

switch is running 03.03.05SE but we tried with version 3.6 and it is the same behaviour.

MEB · ‎02-27-2018

Hi...Any Luck in Solving such issues As i am suffering from a very Similar one

Below is the associated discussion

************************

https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548

***************************

Bregards