cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1714
Views
0
Helpful
4
Replies

Error Disable on port after applying .1X config

Mohammad Alsouqi
Beginner
Beginner

Hi Guys,

 

I'm installing ISE 1.2 on the network and when testing with few machines, some of them reported "errdisable" status on the port after applying the .1X configuration. The config for the port I have is:

switchport access vlan 10

switchport mode access

switchport voice vlan 100

ip access-group Default-ACL in

authentication event fail action next-method

authentication event server alive action reinitialize

 authentication host-mode multi-domain

authentication order mab dot1x webauth

authentication priority dot1x mab webauth

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 2

spanning-tree portfast

spanning-tree bpduguard enable

 

When I remove the .1X config on the port it comes up fine. Shutting and un-shutting the port couldn't recover it. I don't have any port security configured.

 

Any ideas?

 

Thanks,

Mohammad

4 Replies 4

jan.nielsen
Rising star
Rising star

Is there anything connected to that port ? sounds like you have more than one device on there, or you have a phone and a pc, but the phone is not getting put into the voice vlan perhaps. What does the switch log say ?

Hey Guys,

 

I have PC and IP phone connected to the port. Before applying .1x:

sh mac address-table int fa0/27

          Mac Address Table

-------------------------------------------

 

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

100    580a.2098.3010    DYNAMIC     Fa0/27

108    2c27.d71d.4089    DYNAMIC     Fa0/27

Total Mac Addresses for this criterion: 2

 

In the switch log, it's complaining about security violation:

*Sep 28 00:41:45.855: %AUTHMGR-5-START: Starting 'mab' for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:41:45.897: %MAB-5-SUCCESS: Authentication successful for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:41:45.897: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:41:46.568: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (580a.2098.3010) on Interface Fa0/27 AuditSessionID 8282822A000070AC3EC3F50E

*Sep 28 00:42:44.811: %AUTHMGR-5-START: Starting 'mab' for client (2c27.d71d.4089) on Interface Fa0/27 AuditSessionID 8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.836: %MAB-5-SUCCESS: Authentication successful for client (2c27.d71d.4089) on Interface Fa0/27 AuditSessionID 8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.836: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (2c27.d71d.4089) on Interface Fa0/27 AuditSessionID 8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.844: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/27, new MAC address (2c27.d71d.4089) is seen.AuditSessionID  8282822A000070AD3EC4F8CE

*Sep 28 00:42:44.844: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/27, putting Fa0/27 in err-disable state

*Sep 28 00:42:45.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/27, changed state to down

*Sep 28 00:42:46.874: %LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to down

 

Thanks,

Mohammad

The bits you've shared appear correct.

Can you confirm CDP is enabled at the port level and that with dot1x config the phone is assigned to the voice VLAN? (i.e check it without the PC connected to the phone so the port doesn't err-disable)

I'm also wondering what AuthC method you have setup that the PC is authenticating via MAB and not dot1x.

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I agree with Jan.

Your command "authentication host-mode multi-domain" causes the port to behavior similar to as if it had port-security in that it allows only one voice and one data device to authenticate. You could instead try "authentication host-mode multi-auth".

First I'd check the output of "show mac address-table int <module/port>" without 802.1X enabled to see what all is connected to the port in question. Then re-enable it and watch the logs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers