Re: CAN NOT AUTHENTICATE IP PHONE DUE SECURITY_VIOLATION ERROR - Page 2

RustamRustamov1023 · ‎05-16-2022

Hi,

I have the IP Phone and Laptop connected to the same switch port. Although I use the authentication host-mode multi-domain command I have a security violation error:

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/15, new MAC address (AAA.AAA.AAA) is seen.AuditSessionID 0A641040000050803C8E78D9 May 15 17:15:36

Cisco İSE shows that IP Phone and Laptop are authenticated and everything is OK but actually I can not authenticate IP Phone.

Could you please help me with that issue?

RustamRustamov1023 · ‎05-20-2022

Hi,

Yes, I have Cisco IP Phones and they do not obtain the IP address. I also have authentication mac-move permit command

andrewswanson · ‎05-20-2022

Does the phone get ip when interface has basic setup like one below:

switchport access vlan 10
switchport mode access
switchport voice vlan 20
spanning-tree portfast

RustamRustamov1023 · ‎05-20-2022

Yes, IP Phone obtains IP address with this simple configuration

MHM Cisco World · ‎05-20-2022

AS I see from show auth session
auth success and authz success but the VLAN not assign and hence the IP Phone get VLAN 10 not VLAN 20,
so one Q are ISE have Voice domain permission enable ??

RustamRustamov1023 · ‎05-20-2022

Yes, I created an authorization profile with voice domain permission

andrewswanson · ‎05-20-2022

Do you have the global command "aaa authorization network default group radius" (or similar) on your switch config?

RustamRustamov1023 · ‎05-22-2022

Yes, I have. There is no problem with other devices

MHM Cisco World · ‎05-21-2022

Suggest config TRY this for one port and if it success monitor port.

switchport access vlan 10
switchport mode access
switchport voice vlan 20
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab

authentication event fail action next-method

authentication periodic
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 15
spanning-tree pordtfast

can you double check that VLAN voice is same as you enter in SW?

for detail can I know
what is SW model you use and IP Phone and OS of PC connect behind the IP Phone.

RustamRustamov1023 · ‎05-22-2022

Voice VLAN ID is 20 and the IP Phone model is Cisco 7911.

I did your configuration but the same error still exists.

The problem is a security violation. Although there are two devices mac tables learn three mac addresses.

I try without dot1x configuration and here is the result:

sh run int fa0/15

switchport mode access

switchport ac vlan 10

switchport voice vlan 20

Vlan Mac Address Type Ports
---- ----------- -------- -----
20 AAA.AAA.AAA DYNAMIC Fa0/15
10 AAA.AAA.AAA DYNAMIC Fa0/15
10 BBB.BBB.BBB DYNAMIC Fa0/15

This is the normal behavior of the switch. It learns IP Phone's mac address from DATA and VOICE VLANs and it works but when I issue dot1x configuration switch can not authenticate IP Phone because of security violation restrict error.

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/15, new MAC address (AAA.AAA.AAA) is seen.AuditSessionID 0A641040000050803C8E78D9

MHM Cisco World · ‎05-23-2022

are this is SW ? if yes what is model/ver?
please also check the below bug
https://bst.cisco.com/bugsearch/bug/CSCtn96939

RustamRustamov1023 · ‎05-23-2022

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE12