I've got a really strange issue going on with MAB & dot1x with ports going into security violation every now and again claiming a new mac address is seen. Problem is, I know for sure that the clients aren't being changed on the ports so I'm not sure where the new mac address is coming from?
The ports are using:
MAB for Cisco phones
Dot1x for clients behind the phones.
A typical error is:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (90b1.1c68.3e5e) is seen.AuditSessionID 0A011CE300000DDBB3DEFE36
Interface config:
interface GigabitEthernet0/8
description PORT 916
switchport mode access
switchport voice vlan 250
authentication control-direction in
authentication event fail retry 0 action authorize vlan 100
authentication event server dead action authorize vlan 200
authentication event no-response action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
There are no timeouts on the aaa servers and NPS is configured to use in following order:
1. Dot1x for windows group domain computers
2. MAB for Cisco phones for windows group Cisco Phones (not member of domain computers)
We're testing with a 3560 (old but with 15.2) and a 2960s-psl (using 15.2) and we're getting the same issue so I'm convinced it's some sort of mis config rather than the switches/firmware
I'm a little lost to what's occurring here so any pointers would be appreciated.
