07-16-2013 05:58 AM - edited 03-07-2019 02:25 PM
Maybe someone experienced this issue and has an idea...
(<Text> means I replaced the Text there )
We have a pc behind phone configuration running in combination with dot1x.
Running configuration on the switch:
authentication event fail action authorize vlan <vlan>
authentication event no-response action authorize vlan <vlan>
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
As the PC is not authenticated by our radius-server, it falls back to Unknown Mac
Jul 12 07:02:35: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface <Interface> AuditSessionID <SessionID>
show authentication sessions
Interface MAC Address Method Domain Status Session ID
<Interface> (unknown) N/A DATA Authz Success <PCSessionID>
<Interface> <PhoneMac> dot1x VOICE Authz Success <PhoneSessionID>
Running version 12.2(55) the pc tried to authenticate once when connected, only the phone itself reauthenticated once an hour.
After Upgrading to 15.0(2)SE2 or 15.0(2)SE4 the PC also tries to reauthenticate after reauthenticating the phone after 1 hour
Jul 12 14:15:16: %DOT1X-5-SUCCESS: Authentication successful for client (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>
Jul 12 14:15:16: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>
Jul 12 14:15:17: %AUTHMGR-5-START: Starting 'dot1x' for client (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>
Jul 12 14:15:17: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>
Jul 12 14:15:27: %DOT1X-5-FAIL: Authentication failed for client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>
Jul 12 14:15:27: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>
Jul 12 14:15:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>
Jul 12 14:15:27: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>
Unfortunately the switch recognizes this as a security violation and shuts down the port
Jul 12 14:15:27: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface <Interface>, new MAC address (<PCMac>) is seen.AuditSessionID <PCSession>
Jul 12 14:15:27: %PM-4-ERR_DISABLE: security-violation error detected on <Interface> putting <Interface> in err-disable state
Thanks in advance
07-22-2013 08:42 AM
As no one seems to have an answer again, I changed to the "authentication violation replace"-command, but I'm not that happy with it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: