10-12-2018 01:15 AM - edited 02-21-2020 08:20 AM
I've got a really strange issue going on with MAB & dot1x with ports going into security violation every now and again claiming a new mac address is seen. Problem is, I know for sure that the clients aren't being changed on the ports so I'm not sure where the new mac address is coming from?
The ports are using:
MAB for Cisco phones
Dot1x for clients behind the phones.
A typical error is:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (90b1.1c68.3e5e) is seen.AuditSessionID 0A011CE300000DDBB3DEFE36
Interface config:
interface GigabitEthernet0/8
description PORT 916
switchport mode access
switchport voice vlan 250
authentication control-direction in
authentication event fail retry 0 action authorize vlan 100
authentication event server dead action authorize vlan 200
authentication event no-response action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
There are no timeouts on the aaa servers and NPS is configured to use in following order:
1. Dot1x for windows group domain computers
2. MAB for Cisco phones for windows group Cisco Phones (not member of domain computers)
We're testing with a 3560 (old but with 15.2) and a 2960s-psl (using 15.2) and we're getting the same issue so I'm convinced it's some sort of mis config rather than the switches/firmware
I'm a little lost to what's occurring here so any pointers would be appreciated.
10-12-2018 02:19 AM - edited 10-12-2018 02:29 AM
Even more strange is over the last 24 hours I've seen the new mac address seen as:
90b1.1c64.cdb5
90b1.1c64.3e5e
90b1.1c64.935d
and the client hasn't been changed. the first 2 are jumping between g0/8 & G0/9?
10-12-2018 02:30 AM
what is the device connected to this port - interface GigabitEthernet0/8 ?
10-12-2018 11:57 AM
All port have Cisco 6921 phones with Dell Pc's behind them.
I think I may have found the culprit.......SCCM wake up proxy.
I was seeing mac addresses of different pc's switching to different ports even though those pc's were not physically doing it. So I started to think "mac flap" which finally lead me to this post:
https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432
So, into SCCM and disabled M$ version of wake on lan called "Wake up proxy" and since that, all appears ok.
Early days yet but it's looking promising. Microsoft strikes again!!!
10-12-2018 12:57 PM
Glad you found the issue, i was guessing some VM in the PC, like hyper-visor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide