Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
1
Replies

15.0(2), dot1x, Cisco Phone and PC behind phone

Christoph Faber
Level 1
Level 1

‎07-16-2013 05:58 AM - edited ‎03-07-2019 02:25 PM

Maybe someone experienced this issue and has an idea...

(<Text> means I replaced the Text there )

We have a pc behind phone configuration running in combination with dot1x.

Running configuration on the switch:

authentication event fail action authorize vlan <vlan>

authentication event no-response action authorize vlan <vlan>

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x timeout supp-timeout 10

dot1x max-reauth-req 1

As the PC is not authenticated by our radius-server, it falls back to Unknown Mac

Jul 12 07:02:35: %AUTHMGR-5-SUCCESS: Authorization succeeded for client  (Unknown MAC) on Interface <Interface> AuditSessionID  <SessionID>

show authentication sessions

Interface  MAC Address     Method   Domain   Status         Session ID

<Interface>      (unknown)       N/A      DATA     Authz Success  <PCSessionID>

<Interface>      <PhoneMac> dot1x    VOICE    Authz Success  <PhoneSessionID>

Running version 12.2(55) the pc tried to authenticate once when connected, only the phone itself reauthenticated once an hour.

After Upgrading to 15.0(2)SE2 or 15.0(2)SE4 the PC also tries to reauthenticate after reauthenticating the phone after 1 hour

Jul 12 14:15:16: %DOT1X-5-SUCCESS: Authentication successful for client  (<PhoneMac>) on Interface <Interface> AuditSessionID  <PhoneSessionID>

Jul 12 14:15:16: %AUTHMGR-7-RESULT: Authentication result 'success' from  'dot1x' for client (<PhoneMac>) on Interface <Interface>  AuditSessionID <PhoneSessionID>

Jul 12 14:15:17: %AUTHMGR-5-START: Starting 'dot1x' for client  (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>

Jul 12 14:15:17: %AUTHMGR-5-SUCCESS: Authorization succeeded for client  (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>

Jul 12 14:15:27: %DOT1X-5-FAIL: Authentication failed for client  (<PCMac>) on Interface <Interface> AuditSessionID  <PCSessionID>

Jul 12 14:15:27: %AUTHMGR-7-RESULT: Authentication result 'no-response'  from 'dot1x' for client (<PCMac>) on Interface <Interface>  AuditSessionID <PCSessionID>

Jul 12 14:15:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for  client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>

Jul 12 14:15:27: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication  methods for client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>

Unfortunately the switch recognizes this as a security violation and shuts down the port

Jul 12 14:15:27: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on  the interface <Interface>, new MAC address (<PCMac>) is  seen.AuditSessionID  <PCSession>

Jul 12 14:15:27: %PM-4-ERR_DISABLE: security-violation error detected on <Interface> putting <Interface> in err-disable state

Thanks in advance

Labels:
0 Helpful
1 Reply 1

Christoph Faber
Level 1
Level 1

‎07-22-2013 08:42 AM

As no one seems to have an answer again, I changed to the "authentication violation replace"-command, but I'm not that happy with it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card