07-18-2011 06:51 AM - edited 03-09-2019 11:36 PM
Hello,
I'm facing a problem, where the ip phone mac address cause a security violation in the data vlan when using 802.1X and MAB with multi-domain authentication on a switchport.
below are the "logs" about what's going on.
Desktop PC:
002191: Jul 18 10:23:49: %AUTHMGR-5-START: Starting 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1
Phone:
002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
Desktop PC success:
002193: Jul 18 10:24:07: %DOT1X-5-SUCCESS: Authentication successful for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID
002194: Jul 18 10:24:07: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1
002195: Jul 18 10:24:08: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1
Phone - works with fallback to MAB:
002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002196: Jul 18 10:24:08: %DOT1X-5-FAIL: Authentication failed for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID
002197: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002198: Jul 18 10:24:08: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002199: Jul 18 10:24:08: %AUTHMGR-5-START: Starting 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002200: Jul 18 10:24:08: %MAB-5-SUCCESS: Authentication successful for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
002201: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC
but Phone caused security violation error-disable state, because it's MAC Address is seen on VLAN 1 as well:
002202: Jul 18 10:24:08: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/3, new MAC address (0024.c4fe.afe5) is seen.AuditSessionID 00000000000000035AD4A9AC
002203: Jul 18 10:24:08: %PM-4-ERR_DISABLE_VP: security-violation error detected on Fa0/3, vlan 1. Putting in err-disable stat
With no 8021.X Konfiguration - three MACaddresses are seen on the port.
Example:
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0025.b3cc.0380 DYNAMIC Fa0/12
1 aca0.166e.f2ff DYNAMIC Fa0/12
140 aca0.166e.f2ff DYNAMIC Fa0/12
Total Mac Addresses for this criterion: 3
the strange thing is:
we ahve working locations with this setuop, and at the working location, just two MAC adresses are seen.
(with MAC type "static", after 802.1X authentication)
I don't found a satisfying answer about how come that the Phone MAC is seen in the Data VLAN as well.
And I have the the strong feeling that this cause the trouble I'm having.
May be some one can brighten my day, and wrote some clarification, or has a solution how to solve this issue.
TIA
kind regards
Peter
PS:
Authentication against IAS
Phoneload:
Anw.-Software-ID jar42sccp.9-1-1TH1-16.sbn
Boot-Software-ID tnp62.8-3-1-21a.bin
Version SCCP42.9-1-1SR1S
Interface Configuration:
interface FastEthernet0/3
switchport mode access
switchport voice vlan 140
authentication control-direction in
authentication event fail action authorize vlan 150
authentication event no-response action authorize vlan 150
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 5
spanning-tree portfast
Other Configuration Parameter:
aaa group server radius 8021x
server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz
server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz
!
aaa authentication dot1x default group 8021x
aaa authorization network default group 8021x
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
errdisable detect cause security-violation shutdown vlan
!
12-15-2011 08:42 AM
Peter,
Did you ever resolve this?
I am seeing the same thing but on my network the phones are configured for 802.1x. the switch attempts MAB first and then 802.1x. what I see is that the switch fails over from MAB to 802.1x but this is left in a 'running' state and never completes. The phones MAC is seen in the MDA ports base VLAN and also the Voice VLAN, there is a security violation for the base VLAN. The 802.1x never completes.
Thsi anomaly only happens for a few phones.
If you can pass on any information as to what is causing the problem I would be grateful.
Regards,
PAul
12-15-2011 08:44 AM
Peter,
Did you ever resolve this?
I am seeing the same thing but on my network the phones are configured for 802.1x. the switch attempts MAB first and then 802.1x. what I see is that the switch fails over from MAB to 802.1x but this is left in a 'running' state and never completes. The phones MAC is seen in the MDA ports base VLAN and also the Voice VLAN, there is a security violation for the base VLAN. The 802.1x never completes.
Thsi anomaly only happens for a few phones.
If you can pass on any information as to what is causing the problem I would be grateful.
Regards,
PAul
02-20-2018 01:54 AM
Hello,
Don't know if you already resolved your problem, but I had exactly the same issue and for me the solution was to re-enable CDP on the interface configuration...
So I had the command "no cdp enable" on my interface and as soon as I configure a "cdp enable", the phone MAC in the data VLAN has directly disapeared...
Here is the documentation that helped me --> https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-605524.html#wp9000480
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide