cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2128
Views
5
Helpful
25
Replies

CAN NOT AUTHENTICATE IP PHONE DUE SECURITY_VIOLATION ERROR

Hi,

 

I have the IP Phone and Laptop connected to the same switch port. Although I use the authentication host-mode multi-domain command I have a security violation error:


%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/15, new MAC address (AAA.AAA.AAA) is seen.AuditSessionID 0A641040000050803C8E78D9 May 15 17:15:36

 

Cisco İSE shows that IP Phone and Laptop are authenticated and everything is OK but actually I can not authenticate IP Phone.

 

Could you please help me with that issue?

25 Replies 25

Hi,

 

Yes, I have Cisco IP Phones and they do not obtain the IP address. I also have authentication mac-move permit command

Does the phone get ip when interface has basic setup like one below:

 

switchport access vlan 10
switchport mode access
switchport voice vlan 20
spanning-tree portfast

Yes, IP Phone obtains IP address with this simple configuration

AS I see from show auth session 
auth success and authz success but the VLAN not assign and hence the IP Phone get VLAN 10 not VLAN 20, 
so one Q are ISE have Voice domain permission enable ??

Yes, I created an authorization profile with voice domain permission 

Do you have the global command "aaa authorization network default group radius" (or similar) on your switch config?

Yes, I have. There is no problem with other devices

Suggest config TRY this for one port and if it success monitor port.

switchport access vlan 10
switchport mode access
switchport voice vlan 20
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab

authentication event fail action next-method

authentication periodic
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 15
spanning-tree pordtfast

can you double check that VLAN voice is same as you enter in SW?

 

for detail can I know 
what is SW model you use and IP Phone and OS of PC connect behind the IP Phone.

Voice VLAN ID is 20 and the IP Phone model is Cisco 7911.

 

I did your configuration but the same error still exists.

 

The problem is a security violation. Although there are two devices mac tables learn three mac addresses.

 

I try without dot1x configuration and here is the result:

 

sh run int fa0/15

switchport mode access 

switchport ac vlan 10

switchport voice vlan 20

 

Vlan Mac Address Type Ports
---- ----------- -------- -----
20 AAA.AAA.AAA DYNAMIC Fa0/15
10 AAA.AAA.AAA DYNAMIC Fa0/15
10 BBB.BBB.BBB DYNAMIC Fa0/15

 

This is the normal behavior of the switch. It learns IP Phone's mac address from DATA and VOICE VLANs and it works but when I issue dot1x configuration switch can not authenticate IP Phone because of security violation restrict error.

 

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/15, new MAC address (AAA.AAA.AAA) is seen.AuditSessionID 0A641040000050803C8E78D9

 

 

are this is SW ? if yes what is model/ver?
please also check the below bug
https://bst.cisco.com/bugsearch/bug/CSCtn96939

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE12

Review Cisco Networking for a $25 gift card