05-16-2022 04:46 AM
Hi,
I have the IP Phone and Laptop connected to the same switch port. Although I use the authentication host-mode multi-domain command I have a security violation error:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/15, new MAC address (AAA.AAA.AAA) is seen.AuditSessionID 0A641040000050803C8E78D9 May 15 17:15:36
Cisco İSE shows that IP Phone and Laptop are authenticated and everything is OK but actually I can not authenticate IP Phone.
Could you please help me with that issue?
05-16-2022 04:52 AM
Hi
Can you share the command "show run int Fa0/15"
It seems to me that you have Port-Security on this port and you are violating the 'one mac-address' polity.
05-16-2022 05:09 AM
sh run int fa0/15
switchport access vlan 10
switchport mode access
switchport voice vlan 20
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 15
spanning-tree portfast
This is the switch port configuration.
05-16-2022 05:31 AM
The command "authentication violation restrict" must be causing this behavior. That´s interesting cause you have the command "authentication host-mode multi-domain".
Can you issue a "no authentication violation restrict" ? Just to confirm.
05-16-2022 06:11 AM
I issued no authentication violation restrict but there is the same error again because of the default configuration so it did not help. The problem is I have three mac addresses in the mac table
SW#sh mac add int fastEthernet 0/15
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 AAA.AAA.AAA STATIC Drop
10 BBB.BBB.BBB STATIC Fa0/15
10 AAA.AAA.AAA STATIC Fa0/15
05-16-2022 07:07 AM
Pretty weird, right! Why three mac address ig you have a PC and a Phone.
Can you change the policy to accept 3 mac?
05-17-2022 11:01 PM - edited 05-17-2022 11:02 PM
I used the authentication host-mode multi-auth command which provides a means of authenticating multiple hosts on a single port but I still have the same error.
05-20-2022 02:31 AM
Yeah but this feature can conflit with others. Multi domain can allow multiples devices but security does not like multiples Mac address on the same port because it could be another switch, for example.
I think you need to track down why 3 Mac address. The error message is pretty clear.
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface
05-20-2022 03:33 AM
I think this IOS handles learning mac addresses in that way. It learns IP Phone's mac address in data VLAN and then changes it to voice VLAN but does not clear the old entry. That is the reason for the three mac addresses. I used authentication host-mode multi-auth
and authentication host-mode multi-host commands but the same problem still exists.
05-16-2022 07:13 AM - edited 05-16-2022 07:58 AM
This indicate that IP Phone/PC is auth twice if MAC address AAA.AAA.AAA is for IP Phone/PC
IN ONE PORT remove below two commends check if this solve your issue.
authentication order dot1x mab <- remove this
authentication priority dot1x mab <- remove this
05-19-2022 03:31 AM
@RustamRustamov1023
Hi you think that my suggestion is not right ?
there are two method
flex auth , this by using order/priority
fallback , this by config mab
the two look same for first time but they can effect auth success/failed process.
so you must select one method
05-19-2022 05:47 AM
Hi,
I removed those commands but the problem still exists
05-19-2022 06:02 AM
OK, do you shut down then no shut the port ?
if you do not do that there the Auth session still appear in port.
also can I see show auth session detail
05-19-2022 11:11 PM - edited 05-19-2022 11:13 PM
Yes, I did shut and no shut commands. Here is output:
Interface: FastEthernet0/15
MAC Address: BBB.BBB.BBB
IP Address: Unknown
User-Name: host/example.com
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6410400000540E60BC71B4
Acct Session ID: 0x000056D0
Handle: 0x8D000466
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
SW-3D.Floor#
SW-3D.Floor#
SW-3D.Floor#sh mac add int fastEthernet 0/15
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 AAA.AAA.AAA STATIC Drop
10 AAA.AAA.AAA STATIC Drop
10 BBB.BBB.BBB STATIC Fa0/15
05-20-2022 05:21 AM - edited 05-20-2022 05:21 AM
Hi
A couple of questions about your setup:
Does the phone get an IP address?
Is the phone a Cisco model?
Do you have the "authentication mac-move permit" global command configured?
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide