Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2289
Views
1
Helpful
5
Replies

Error Disable on port after applying .1X config

Mohammad Alsouqi
Level 1
Level 1

‎12-31-2014 01:55 AM - edited ‎03-10-2019 10:18 PM

Hi Guys,

 

I'm installing ISE 1.2 on the network and when testing with few machines, some of them reported "errdisable" status on the port after applying the .1X configuration. The config for the port I have is:

switchport access vlan 10

switchport mode access

switchport voice vlan 100

ip access-group Default-ACL in

authentication event fail action next-method

authentication event server alive action reinitialize

 authentication host-mode multi-domain

authentication order mab dot1x webauth

authentication priority dot1x mab webauth

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 2

spanning-tree portfast

spanning-tree bpduguard enable

 

When I remove the .1X config on the port it comes up fine. Shutting and un-shutting the port couldn't recover it. I don't have any port security configured.

 

Any ideas?

 

Thanks,

Mohammad

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎12-31-2014 04:44 AM

Is there anything connected to that port ? sounds like you have more than one device on there, or you have a phone and a pc, but the phone is not getting put into the voice vlan perhaps. What does the switch log say ?

0 Helpful

Mohammad Alsouqi
Level 1
Level 1
In response to jan.nielsen

‎01-04-2015 03:29 AM

Hey Guys,

 

I have PC and IP phone connected to the port. Before applying .1x:

sh mac address-table int fa0/27

          Mac Address Table

-------------------------------------------

 

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

100    580a.2098.3010    DYNAMIC     Fa0/27

108    2c27.d71d.4089    DYNAMIC     Fa0/27

Total Mac Addresses for this criterion: 2

 

In the switch log, it's complaining about security violation:

*Sep 28 00:41:45.855: %AUTHMGR-5-START: Starting 'mab' for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:41:45.897: %MAB-5-SUCCESS: Authentication successful for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:41:45.897: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:41:46.568: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:42:44.811: %AUTHMGR-5-START: Starting 'mab' for client (2c27.d71d.4089) on Interface Fa0/27 AuditSessionID 8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.836: %MAB-5-SUCCESS: Authentication successful for client (2c27.d71d.4089) on Interface Fa0/27 AuditSessionID 8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.836: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (2c27.d71d.4089) on Interface Fa0/27 AuditSessionID 8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.844: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/27, new MAC address (2c27.d71d.4089) is seen.AuditSessionID  8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.844: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/27, putting Fa0/27 in err-disable state

*Sep 28 00:42:45.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/27, changed state to down

*Sep 28 00:42:46.874: %LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to down

 

Thanks,

Mohammad

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohammad Alsouqi

‎01-04-2015 07:18 AM

The bits you've shared appear correct.

Can you confirm CDP is enabled at the port level and that with dot1x config the phone is assigned to the voice VLAN? (i.e check it without the PC connected to the phone so the port doesn't err-disable)

I'm also wondering what AuthC method you have setup that the PC is authenticating via MAB and not dot1x.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-31-2014 05:56 AM

I agree with Jan.

Your command "authentication host-mode multi-domain" causes the port to behavior similar to as if it had port-security in that it allows only one voice and one data device to authenticate. You could instead try "authentication host-mode multi-auth".

First I'd check the output of "show mac address-table int <module/port>" without 802.1X enabled to see what all is connected to the port in question. Then re-enable it and watch the logs.

rpalmeida
Level 1
Level 1
In response to Marvin Rhoads

‎02-27-2024 05:48 AM

Hello Marvin,

Your suggestion helped a lot!

Many thanks.

Best regards,

RUi Almeida.

 

0 Helpful
Customers Also Viewed These Support Documents