07-18-2011 06:51 AM - edited 03-09-2019 11:36 PM
Hello,
I'm facing a problem, where the ip phone mac address cause a security violation in the data vlan when using 802.1X and MAB with multi-domain authentication on a switchport.
below are the "logs" about what's going on.
Desktop PC:
002191: Jul 18 10:23:49: %AUTHMGR-5-START: Starting 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1
Phone:
002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
Desktop PC success:
002193: Jul 18 10:24:07: %DOT1X-5-SUCCESS: Authentication successful for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID
002194: Jul 18 10:24:07: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1
002195: Jul 18 10:24:08: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1
Phone - works with fallback to MAB:
002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002196: Jul 18 10:24:08: %DOT1X-5-FAIL: Authentication failed for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID
002197: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002198: Jul 18 10:24:08: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002199: Jul 18 10:24:08: %AUTHMGR-5-START: Starting 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002200: Jul 18 10:24:08: %MAB-5-SUCCESS: Authentication successful for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002201: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
but Phone caused security violation error-disable state, because it's MAC Address is seen on VLAN 1 as well:
002202: Jul 18 10:24:08: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/3, new MAC address (0024.c4fe.afe5) is seen.AuditSessionID 00000000000000035AD4A9AC
002203: Jul 18 10:24:08: %PM-4-ERR_DISABLE_VP: security-violation error detected on Fa0/3, vlan 1. Putting in err-disable stat
With no 8021.X Konfiguration - three MACaddresses are seen on the port.
Example:
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0025.b3cc.0380 DYNAMIC Fa0/12
1 aca0.166e.f2ff DYNAMIC Fa0/12
140 aca0.166e.f2ff DYNAMIC Fa0/12
Total Mac Addresses for this criterion: 3
the strange thing is:
we ahve working locations with this setuop, and at the working location, just two MAC adresses are seen.
(with MAC type "static", after 802.1X authentication)
I don't found a satisfying answer about how come that the Phone MAC is seen in the Data VLAN as well.
And I have the the strong feeling that this cause the trouble I'm having.
May be some one can brighten my day, and wrote some clarification, or has a solution how to solve this issue.
TIA
kind regards
Peter
PS:
Authentication against IAS
Phoneload:
Anw.-Software-ID jar42sccp.9-1-1TH1-16.sbn
Boot-Software-ID tnp62.8-3-1-21a.bin
Version SCCP42.9-1-1SR1S
Interface Configuration:
interface FastEthernet0/3
switchport mode access
switchport voice vlan 140
authentication control-direction in
authentication event fail action authorize vlan 150
authentication event no-response action authorize vlan 150
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 5
spanning-tree portfast
Other Configuration Parameter:
aaa group server radius 8021x
server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz
server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz
!
aaa authentication dot1x default group 8021x
aaa authorization network default group 8021x
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
errdisable detect cause security-violation shutdown vlan
!