cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3298
Views
0
Helpful
8
Replies

802.1X Deployment with IP Phone occur unexpected security violation

JY109
Level 1
Level 1

Hello all,

I'm currently deploying the 802.1x solution to the Cisco 3560x switches, and it will cover multi domain 802.1x authentication with MAB and dynamic VLAN assignment. All function is working fine, however a very strange issue has occur. The switchport will error disabled suddenly due to a "new mac address" heard, but actually there is no any action on user side, and that "new mac address" is similar with IP Phone mac address. The issue was happened on different switch and port, and the symptom are same. So that pretty sure not some people to have an unauthorized action.

Do you guys have any idea or experience like this before? Is it a bug on switch or IP phone?

Many thanks for your help

Phone Version:

SCCP42.9-1-1SR1S

Switch Version:

 15.0(2)SE8

Interface Configuration:

interface GigabitEthernet0/16
 switchport mode access
 switchport voice vlan 99
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 999
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout server-timeout 3
 dot1x timeout tx-period 1
 dot1x max-reauth-req 3
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

Switch Status on normal operation:

Switch#sh authentication sessions interface g0/16
            Interface:  GigabitEthernet0/16
          MAC Address:  001e.138d.179c
           IP Address:  10.10.156.95
            User-Name:  001e138d179c
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  156
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  C0A8FE9500000B76C34CF590
      Acct Session ID:  0x000018BB
               Handle:  0xBE000B77
 
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success
 
----------------------------------------
            Interface:  GigabitEthernet0/16
          MAC Address:  cc52.af4b.11dc
           IP Address:  172.16.162.15
            User-Name:  XXXX\user1
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  162
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  C0A8FE9500000B78C3508ED5
      Acct Session ID:  0x000018CB
               Handle:  0x7C000B79
 
Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Problem Occur Logging:

Jan 19 01:00:46.408 HKT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/16, new MAC  address (ac44.f212.179c) is seen.AuditSessionID  Unassigned
Jan 19 01:00:46.408 HKT: %PM-4-ERR_DISABLE: security-violation error detected on Gi0/16, putting Gi0/16 in err-disable state
Jan 19 01:00:47.498 HKT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to down
Jan 19 01:00:48.505 HKT: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to down
Jan 19 01:00:57.103 HKT: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi0/16, operational port trust state is now untrusted.

8 Replies 8

jj27
Spotlight
Spotlight

I have not personally seen that happen. If you show the mac address table for the port when it happens, what does it report?

To me it sounds like it is a phone bug, but can't be sure.  I searched the Cisco Bug database and could not find anything related to that particular problem for the 3560-X family of switches.  

The code you're on is relatively new, but is not the Cisco recommended safe harbor version of 15.0(2)SE9.  You could try upgrading to that version and see if the problem goes away.

Menezesa
Level 1
Level 1

Hello Jim,

Did you every resolve this issue? We are seeing the same thing very random and infrequent. It only seems to happen on 3750X switches and not other models.

Hi Menezesa,

 

The problem not yet solved...I just thinking it is related to the IP phone bug before. I have to upgraded the CUCM and also with the updated IP phone firmware, but the issue still occur, I will try to open a TAC case regarding this issue.

 

Hi,

This error might come when an 802.1x authenticated device moves from one port to another. So could you try enable the following global command:
"authentication mac-move permit"
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/command/reference/3750cr/cli1.html



Thanks & Regards,

Kushagra Srivastava
Cisco PDI
http://www.cisco.com/go/pdi

Hi Srivastava,

 

Thanks for your suggestion. But I'm not really agree for your point. As the case is not related to any devices movement, and the occur security violation is not a same IP phone MAC address but quite similar. So that I personally do think that issue is caused by the IP phone itself instead of the switch side.

Good Day Guys,

Any progress on this issue...I got a similar one but only on 45 Series SUP8 Switches 

discussion created here :

***************************************************

https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548

**************************************************

Bregards

 

Venting
Level 1
Level 1

Hey JY109.

 

The mystery IP's that you saw, were the MAC addresses similar to your phones in THIS way? 

 

First 8 characters of one phone...+ last 4 characters of another phone = New MAC that creates the security violation. 

We are seeing this in our environment.  Did you ever find a resolution for yours? 

JY109
Level 1
Level 1

Guys, at the end I didn't contact Cisco TAC to follow up this issue, as I was quit that company during the time... Did you tried to upgrade the switch IOS?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: