Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
5
Helpful
2
Replies

802.1X Port Based Authentication Security Violation

dasgill
Level 1
Level 1

‎02-04-2014 12:01 PM - edited ‎03-10-2019 09:21 PM

I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.

Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED

Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED

Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state

Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down

Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.

The ports GI1/0./1 & Gi1/02 are configured thus:

interface GigabitEthernet1/0/1

switchport mode access

switchport voice vlan 20

authentication event fail action authorize vlan 4

authentication event no-response action authorize vlan 4

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

mls qos trust cos

dot1x pae authenticator

spanning-tree portfast

sh ver

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M

Full config attached. Assistance will be grately appreciated.

Donfrico

Labels:
15375177-switch_config.txt.zip
0 Helpful
2 Replies 2

hdussa
Level 1
Level 1

‎02-06-2014 06:18 AM

Hi,

is your IP-Phone after authentication in the Voice-Vlan? Usually only 1 MAC ist allowed in Voice- and Data Vlan.

Can you post the result of  "show authentication sessions" .

Horst

Naveen Kumar
Level 4
Level 4

‎02-09-2014 08:37 PM

I believe , you need to configure re-authentication on this switch port:


! Enable re-authentication


authentication periodic


! Enable re-authentication via RADIUS Session-Timeout


authentication timer reauthenticate server
0 Helpful
Customers Also Viewed These Support Documents