cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2070
Views
0
Helpful
3
Replies
eng.malak
Beginner

ISE error disable interface


Dears
After configuring DOT1x on access ports , some ports show error disabled without enabling the port-security , is their any way to increase the number of MAC addresses allowed on the port ? , is it possible to disable this feature


Sent from Cisco Technical Support iPhone App

3 REPLIES 3
pankaj29in
Beginner

Hi,

Sent us the show run commands of interfaces.

Cheers

Pankaj

here you are

interface GigabitEthernet1/0/2

switchport mode access

switchport voice vlan 91

authentication event fail action next-method

authentication event server dead action reinitialize vlan 184

authentication event server dead action authorize voice

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

Hi Eng.malak,

The port config provided by you the interface GigabitEthernet1/0/2 is configured for MDA that means an IP phone and a single host behind the IP phone are authenticated independently, even though both the IP phone and host machine are connected to a single switch port on the switch. If more than once device is detected in either domain, a security violation will be triggered. This can be a problem when a phone fails to authenticate properly. If a phone fails authentication, then the switch does not receive the "device-traffic-class=voice" VSA from the radius server and the switch will assume that the failed device was in the data domain. However if there is already a data device behind the phone, there will be now 2 devices in the data domain, and a security violation is triggered.  On this port only 2 MAC addresses are allowed. The switch place the client machine in a data vlan and the IP phone in a voice vlan. 

Configure the violation mode. The keywords have these meanings:

authentication violation shutdown | restrict | protect | replace}

•shutdown-Error disable the port.

•restrict-Generate a syslog error.

•protect-Drop packets from any new device that sends traffic to the port.

•replace-Removes the current session and authenticates with the new host.

Configuring 802.1x Violation Modes

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1324086

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube