07-15-2013 11:20 PM - edited 03-10-2019 08:39 PM
Dears
After configuring DOT1x on access ports , some ports show error disabled without enabling the port-security , is their any way to increase the number of MAC addresses allowed on the port ? , is it possible to disable this feature
Sent from Cisco Technical Support iPhone App
07-16-2013 12:57 AM
Hi,
Sent us the show run commands of interfaces.
Cheers
Pankaj
07-16-2013 01:05 AM
here you are
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 91
authentication event fail action next-method
authentication event server dead action reinitialize vlan 184
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
07-16-2013 06:15 AM
Hi Eng.malak,
The port config provided by you the interface GigabitEthernet1/0/2 is configured for MDA that means an IP phone and a single host behind the IP phone are authenticated independently, even though both the IP phone and host machine are connected to a single switch port on the switch. If more than once device is detected in either domain, a security violation will be triggered. This can be a problem when a phone fails to authenticate properly. If a phone fails authentication, then the switch does not receive the "device-traffic-class=voice" VSA from the radius server and the switch will assume that the failed device was in the data domain. However if there is already a data device behind the phone, there will be now 2 devices in the data domain, and a security violation is triggered. On this port only 2 MAC addresses are allowed. The switch place the client machine in a data vlan and the IP phone in a voice vlan.
Configure the violation mode. The keywords have these meanings:
authentication violation shutdown | restrict | protect | replace}
•shutdown-Error disable the port.
•restrict-Generate a syslog error.
•protect-Drop packets from any new device that sends traffic to the port.
•replace-Removes the current session and authenticates with the new host.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide