cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

NAC - AUTHMGR-5-SECURITY_VIOLATION: Security violation on the

1609
Views
0
Helpful
2
Comments
craiglebutt
Enthusiast

Hi


I'm testing NAC on colleagues devices on a 3750 Switch, 2 ports configured, using 2 phones and a pc.

He had external contractors in, so need to swap phones one.

Soon as he did that, both phones and PC wouldn't connect, till I shut the Ports down and brought back up.

ise 2.2 patch 16

Any help appreciated.

 

Sep 30 15:33:29: RADIUS(00000FD1): Started 5 sec timeout

Sep 30 15:33:29: RADIUS: Received from id 1645/142 10.**.**.**:1812, Access-Accept, len 272

Sep 30 15:33:29: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Sep 30 15:33:29: %MAB-5-SUCCESS: Authentication successful for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F622000009A91B4DED06

Sep 30 15:33:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F62200

0009A91B4DED06

Sep 30 15:33:29: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/1, new MAC address (001a.e8be.375d) is seen.AuditSessionID  C0A

8F622000009A91B4DED06

Sep 30 15:33:37: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

Sep 30 15:33:41: %AUTHMGR-5-START: Starting 'mab' for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F622000009AA1B4E1C04

Sep 30 15:33:41: RADIUS/ENCODE(00000FD2):Orig. component type = DOT1X

Sep 30 15:33:41: RADIUS(00000FD2): Config NAS IP: 192.168.246.34

Sep 30 15:33:41: RADIUS(00000FD2): Send Access-Request to 10.**.**.**:1812 id 1645/143, len 214

Sep 30 15:33:41: RADIUS(00000FD2): Started 5 sec timeout

Sep 30 15:33:41: RADIUS: Received from id 1645/143 10.**.**.**:1812, Access-Accept, len 272

Sep 30 15:33:41: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Sep 30 15:33:41: %MAB-5-SUCCESS: Authentication successful for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F622000009AA1B4E1C04

Sep 30 15:33:41: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F62200

0009AA1B4E1C04

Sep 30 15:33:41: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/1, new MAC address (001a.e8be.375d) is seen.AuditSessionID  C0A

8F622000009AA1B4E1C04

Sep 30 15:33:48: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

Sep 30 15:33:49: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

Sep 30 15:33:49: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

Sep 30 15:33:49: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

Sep 30 15:33:50: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

Sep 30 15:33:53: %AUTHMGR-5-START: Starting 'mab' for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F622000009AB1B4E4A05

Sep 30 15:33:53: RADIUS/ENCODE(00000FD3):Orig. component type = DOT1X

Sep 30 15:33:53: RADIUS(00000FD3): Config NAS IP: 192.168.246.34

Sep 30 15:33:53: RADIUS(00000FD3): Send Access-Request to 10.**.**.**:1812 id 1645/144, len 214

Sep 30 15:33:53: RADIUS(00000FD3): Started 5 sec timeout

Sep 30 15:33:53: RADIUS: Received from id 1645/144 10.**.**.**:1812, Access-Accept, len 272

Sep 30 15:33:53: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Sep 30 15:33:53: %MAB-5-SUCCESS: Authentication successful for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F622000009AB1B4E4A05

Sep 30 15:33:53: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001a.e8be.375d) on Interface Fa5/0/1 AuditSessionID C0A8F62200

0009AB1B4E4A05

Sep 30 15:33:53: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/1, new MAC address (001a.e8be.375d) is seen.AuditSessionID  C0A

8F622000009AB1B4E4A05

Sep 30 15:33:54: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/2, new MAC address (1062.e51b.b0ad) is seen.AuditSessionID  Una

ssigned

 

2 Comments
CarlCarlson
Beginner

Hello,

 

It might help if we could see the port configs, but based on what you posted it appears that the switch is placing the ports into Error Disabled state, which is why you needed to bounce them.  Based on the message "Sep 30 15:33:53: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa5/0/1, new MAC address (001a.e8be.375d) is seen.AuditSessionID  C0A"  I would guess that you have some kind of port security on the port itself, or maybe sticky mac where the switch only allows an already registered mac to connect to a port.  It is recommended to remove port security like that when using ISE.  If that's not the case then you may need to enable "authentication mac-move permit" on the switch.

 

Hope this helps!

craiglebutt
Enthusiast

Hi, this is the config, have since replaced authentication violation restrict with authentication violation replace, just waiting on colleague to test

 

switchport access vlan 2***
switchport mode access
switchport voice vlan 3***
no logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 2***
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no mdix auto
spanning-tree portfast

Create
Recognize Your Peers
Content for Community-Ad