I've got a really strange issue going on with MAB & dot1x with ports going into security violation every now and again claiming a new mac address is seen. Problem is, I know for sure that the clients aren't being changed on the ports so I'm not sure where the new mac address is coming from?
The ports are using:
MAB for Cisco phones
Dot1x for clients behind the phones.
A typical error is:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (90b1.1c68.3e5e) is seen.AuditSessionID 0A011CE300000DDBB3DEFE36
description PORT 916
switchport mode access
switchport voice vlan 250
authentication control-direction in
authentication event fail retry 0 action authorize vlan 100
authentication event server dead action authorize vlan 200
authentication event no-response action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree bpduguard enable
There are no timeouts on the aaa servers and NPS is configured to use in following order:
1. Dot1x for windows group domain computers
2. MAB for Cisco phones for windows group Cisco Phones (not member of domain computers)
We're testing with a 3560 (old but with 15.2) and a 2960s-psl (using 15.2) and we're getting the same issue so I'm convinced it's some sort of mis config rather than the switches/firmware
I'm a little lost to what's occurring here so any pointers would be appreciated.
Even more strange is over the last 24 hours I've seen the new mac address seen as:
and the client hasn't been changed. the first 2 are jumping between g0/8 & G0/9?
what is the device connected to this port - interface GigabitEthernet0/8 ?
All port have Cisco 6921 phones with Dell Pc's behind them.
I think I may have found the culprit.......SCCM wake up proxy.
I was seeing mac addresses of different pc's switching to different ports even though those pc's were not physically doing it. So I started to think "mac flap" which finally lead me to this post:
So, into SCCM and disabled M$ version of wake on lan called "Wake up proxy" and since that, all appears ok.
Early days yet but it's looking promising. Microsoft strikes again!!!
Glad you found the issue, i was guessing some VM in the PC, like hyper-visor.