This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Dears
After configuring DOT1x on access ports , some ports show error disabled without enabling the port-security , is their any way to increase the number of MAC addresses allowed on the port ? , is it possible to disable this feature
Sent from Cisco Technical Support iPhone App
Hi,
Sent us the show run commands of interfaces.
Cheers
Pankaj
here you are
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 91
authentication event fail action next-method
authentication event server dead action reinitialize vlan 184
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
Hi Eng.malak,
The port config provided by you the interface GigabitEthernet1/0/2 is configured for MDA that means an IP phone and a single host behind the IP phone are authenticated independently, even though both the IP phone and host machine are connected to a single switch port on the switch. If more than once device is detected in either domain, a security violation will be triggered. This can be a problem when a phone fails to authenticate properly. If a phone fails authentication, then the switch does not receive the "device-traffic-class=voice" VSA from the radius server and the switch will assume that the failed device was in the data domain. However if there is already a data device behind the phone, there will be now 2 devices in the data domain, and a security violation is triggered. On this port only 2 MAC addresses are allowed. The switch place the client machine in a data vlan and the IP phone in a voice vlan.
Configure the violation mode. The keywords have these meanings:
authentication violation shutdown | restrict | protect | replace}
•shutdown-Error disable the port.
•restrict-Generate a syslog error.
•protect-Drop packets from any new device that sends traffic to the port.
•replace-Removes the current session and authenticates with the new host.
~BR
Jatin Katyal
**Do rate helpful posts**