Hi, yup, command is definitely there:-

switch 1 provision ws-c3850-48p
switch 2 provision ws-c3850-48p
authentication mac-move permit   <<<

We are also using authentication host-mode multi-domain, as most Switch ports have a phone(mitel) and a PC attached

Devices don't move about, they sit on a desk, customers don't move kit.

This is happening on all switches, across multiple sites with the MAB config, so doubt it would be a spoofing event.

You can see how 'chatty' it is below:-  

Mar 28 12:41:16: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (842a.fd52.02a4) on Interface Gi1/0/16 AuditSessionID 0AF420D7000167562E655A62
Mar 28 12:41:16: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (b00c.d158.a0b9) on Interface Gi2/0/18 AuditSessionID 0AF420D7000167572E655A6C
Mar 28 12:41:17: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/20, new MAC address (040e.3c94.380a) is seen.AuditSessionID 0AF420D7000167582E655CCE
Mar 28 12:41:17: %AUTHMGR-5-MACREPLACE: MAC address (040e.3c94.380a) on Interface GigabitEthernet2/0/20 is replaced by MAC (040e.3c94.380a) AuditSessionID 0AF420D7000167582E655CCE
Mar 28 12:41:17: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (040e.3c94.380a) on Interface Gi2/0/20 AuditSessionID 0AF420D7000167582E655CCE
Mar 28 12:41:17: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/16, new MAC address (842a.fd52.02a4) is seen.AuditSessionID 0AF420D7000167592E655ED6
Mar 28 12:41:17: %AUTHMGR-5-MACREPLACE: MAC address (842a.fd52.02a4) on Interface GigabitEthernet1/0/16 is replaced by MAC (842a.fd52.02a4) AuditSessionID 0AF420D7000167592E655ED6
Mar 28 12:41:17: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (842a.fd52.02a4) on Interface Gi1/0/16 AuditSessionID 0AF420D7000167592E655ED6
Mar 28 12:41:17: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/26, new MAC address (b00c.d158.a38d) is seen.AuditSessionID 0AF420D70001675A2E655EFE
Mar 28 12:41:17: %AUTHMGR-5-MACREPLACE: MAC address (b00c.d158.a38d) on Interface GigabitEthernet2/0/26 is replaced by MAC (b00c.d158.a38d) AuditSessionID 0AF420D70001675A2E655EFE
Mar 28 12:41:17: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (b00c.d158.a38d) on Interface Gi2/0/26 AuditSessionID 0AF420D70001675A2E655EFE
Mar 28 12:41:17: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/16, new MAC address (842a.fd52.02a4) is seen.AuditSessionID 0AF420D70001675B2E655F26
Mar 28 12:41:17: %AUTHMGR-5-MACREPLACE: MAC address (842a.fd52.02a4) on Interface GigabitEthernet1/0/16 is replaced by MAC (842a.fd52.02a4) AuditSessionID 0AF420D70001675B2E655F26
Mar 28 12:41:17: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (842a.fd52.02a4) on Interface Gi1/0/16 AuditSessionID 0AF420D70001675B2E655F26
Mar 28 12:41:18: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/26, new MAC address (b00c.d158.a38d) is seen.AuditSessionID 0AF420D70001675C2E6560DE
Mar 28 12:41:18: %AUTHMGR-5-MACREPLACE: MAC address (b00c.d158.a38d) on Interface GigabitEthernet2/0/26 is replaced by MAC (b00c.d158.a38d) AuditSessionID 0AF420D70001675C2E6560DE
Mar 28 12:41:18: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (b00c.d158.a38d) on Interface Gi2/0/26 AuditSessionID 0AF420D70001675C2E6560DE
Mar 28 12:41:18: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/36, new MAC address (0800.0fc0.c243) is seen.AuditSessionID 0AF420D70001675D2E6560DE
Mar 28 12:41:18: %AUTHMGR-5-MACREPLACE: MAC address (0800.0fc0.c243) on Interface GigabitEthernet1/0/36 is replaced by MAC (0800.0fc0.c243) AuditSessionID 0AF420D70001675D2E6560DE
Mar 28 12:41:18: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/16, new MAC address (842a.fd52.02a4) is seen.AuditSessionID 0AF420D70001675E2E6560E8
Mar 28 12:41:18: %AUTHMGR-5-MACREPLACE: MAC address (842a.fd52.02a4) on Interface GigabitEthernet1/0/16 is replaced by MAC (842a.fd52.02a4) AuditSessionID 0AF420D70001675E2E6560E8
Mar 28 12:41:18: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0800.0fc0.c243) on Interface Gi1/0/36 AuditSessionID 0AF420D70001675D2E6560DE
Mar 28 12:41:18: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (842a.fd52.02a4) on Interface Gi1/0/16 AuditSessionID 0AF420D70001675E2E6560E8
Mar 28 12:41:19: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/45, new MAC address (b00c.d158.a27c) is seen.AuditSessionID 0AF420D70001675F2E6562F0
Mar 28 12:41:19: %AUTHMGR-5-MACREPLACE: MAC address (b00c.d158.a27c) on Interface GigabitEthernet2/0/45 is replaced by MAC (b00c.d158.a27c) AuditSessionID 0AF420D70001675F2E6562F0
Mar 28 12:41:19: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (b00c.d158.a27c) on Interface Gi2/0/45 AuditSessionID 0AF420D70001675F2E6562F0
Mar 28 12:41:19: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/16, new MAC address (842a.fd52.02a4) is seen.AuditSessionID 0AF420D7000167602E656598
Mar 28 12:41:19: %AUTHMGR-5-MACREPLACE: MAC address (842a.fd52.02a4) on Interface GigabitEthernet1/0/16 is replaced by MAC (842a.fd52.02a4) AuditSessionID 0AF420D7000167602E656598
Mar 28 12:41:19: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (842a.fd52.02a4) on Interface Gi1/0/16 AuditSessionID 0AF420D7000167602E656598
Mar 28 12:41:19: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/12, new MAC address (0800.0fc0.dece) is seen.AuditSessionID 0AF420D7000167622E65676E
Mar 28 12:41:19: %AUTHMGR-5-MACREPLACE: MAC address (0800.0fc0.dece) on Interface GigabitEthernet1/0/12 is replaced by MAC (0800.0fc0.dece) AuditSessionID 0AF420D7000167622E65676E
Mar 28 12:41:19: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0800.0fc0.dece) on Interface Gi1/0/12 AuditSessionID 0AF420D7000167622E65676E
Mar 28 12:41:19: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/20, new MAC address (0800.0fc0.ddda) is seen.AuditSessionID 0AF420D7000167612E65676E
Mar 28 12:41:19: %AUTHMGR-5-MACREPLACE: MAC address (0800.0fc0.ddda) on Interface GigabitEthernet1/0/20 is replaced by MAC (0800.0fc0.ddda) AuditSessionID 0AF420D7000167612E65676E
Mar 28 12:41:19: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/20, new MAC address (040e.3c94.380a) is seen.AuditSessionID 0AF420D7000167632E65676E
Mar 28 12:41:19: %AUTHMGR-5-MACREPLACE: MAC address (040e.3c94.380a) on Interface GigabitEthernet2/0/20 is replaced by MAC (040e.3c94.380a) AuditSessionID 0AF420D7000167632E65676E
Mar 28 12:41:19: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/39, new MAC address (b00c.d158.a0b6) is seen.AuditSessionID 0AF420D7000167642E65676E
Mar 28 12:41:19: %AUTHMGR-5-MACREPLACE: MAC address (b00c.d158.a0b6) on Interface GigabitEthernet1/0/39 is replaced by MAC (b00c.d158.a0b6) AuditSessionID 0AF420D7000167642E65676E
Mar 28 12:41:19: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0800.0fc0.ddda) on Interface Gi1/0/20 AuditSessionID 0AF420D7000167612E65676E
Mar 28 12:41:19: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (040e.3c94.380a) on Interface Gi2/0/20 AuditSessionID 0AF420D7000167632E65676E
Mar 28 12:41:19: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (b00c.d158.a0b6) on Interface Gi1/0/39 AuditSessionID 0AF420D7000167642E65676E
Mar 28 12:41:20: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/45, new MAC address (b00c.d158.a27c) is seen.AuditSessionID 0AF420D7000167652E6569B2
Mar 28 12:41:20: %AUTHMGR-5-MACREPLACE: MAC address (b00c.d158.a27c) on Interface GigabitEthernet2/0/45 is replaced by MAC (b00c.d158.a27c) AuditSessionID 0AF420D7000167652E6569B2
Mar 28 12:41:20: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (b00c.d158.a27c) on Interface Gi2/0/45 AuditSessionID 0AF420D7000167652E6569B2
Mar 28 12:41:21: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/16, new MAC address (842a.fd52.02a4) is seen.AuditSessionID 0AF420D7000167662E656B92
Mar 28 12:41:21: %AUTHMGR-5-MACREPLACE: MAC address (842a.fd52.02a4) on Interface GigabitEthernet1/0/16 is replaced by MAC (842a.fd52.02a4) AuditSessionID 0AF420D7000167662E656B92
Mar 28 12:41:21: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (842a.fd52.02a4) on Interface Gi1/0/16 AuditSessionID 0AF420D7000167662E656B92
Mar 28 12:41:21: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/31, new MAC address (f80d.ac1f.69d5) is seen.AuditSessionID 0AF420D7000167692E656BA6
Mar 28 12:41:21: %AUTHMGR-5-MACREPLACE: MAC address (f80d.ac1f.69d5) on Interface GigabitEthernet2/0/31 is replaced by MAC (f80d.ac1f.69d5) AuditSessionID 0AF420D7000167692E656BA6
Mar 28 12:41:21: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/20, new MAC address (040e.3c94.380a) is seen.AuditSessionID 0AF420D7000167672E656B92
Mar 28 12:41:21: %AUTHMGR-5-MACREPLACE: MAC address (040e.3c94.380a) on Interface GigabitEthernet2/0/20 is replaced by MAC (040e.3c94.380a) AuditSessionID 0AF420D7000167672E656B92
Mar 28 12:41:21: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/41, new MAC address (0800.0fc0.dd54) is seen.AuditSessionID 0AF420D7000167682E656B92
Mar 28 12:41:21: %AUTHMGR-5-MACREPLACE: MAC address (0800.0fc0.dd54) on Interface GigabitEthernet2/0/41 is replaced by MAC (0800.0fc0.dd54) AuditSessionID 0AF420D7000167682E656B92
Mar 28 12:41:21: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/3, new MAC address (0800.0fc0.e30e) is seen.AuditSessionID 0AF420D70001676A2E656C00
Mar 28 12:41:21: %AUTHMGR-5-MACREPLACE: MAC address (0800.0fc0.e30e) on Interface GigabitEthernet2/0/3 is replaced by MAC (0800.0fc0.e30e) AuditSessionID 0AF420D70001676A2E656C00
Mar 28 12:41:21: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (f80d.ac1f.69d5) on Interface Gi2/0/31 AuditSessionID 0AF420D7000167692E656BA6
Mar 28 12:41:21: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (040e.3c94.380a) on Interface Gi2/0/20 AuditSessionID 0AF420D7000167672E656B92
Mar 28 12:41:21: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0800.0fc0.dd54) on Interface Gi2/0/41 AuditSessionID 0AF420D7000167682E656B92