Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17621
Views
15
Helpful
1
Replies

802.1x authentication violation restrict

Go to solution
tedauction
Level 1
Level 1

‎07-07-2018 02:35 PM - edited ‎03-08-2019 03:36 PM

Hello, I currently have all my ports configured with 802.1x and 'authentication violation restrict'.

I understand this will only allow one PC and one phone to connect. My question is - within what time period does that rule work i.e. we often have users move computer between ports and there are never any errors, however occassionally when someone swaps out a phone we do get the error:

'15749: Jul  7 02:19:38.884: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/10, new MAC address (8cec.4b23.3815) is seen.AuditSessionID  Unassigned'

 

Does this command rule ''authentication violation restrict' only generate an error if a third MAC/device is seen on the port within a set amount of time ?

 

So, would I be better to use the command 'authentication violation replace' rather than 'authentication violation restrict', as I dont care if users move devices between switch ports - I only care that they are restricted to one phone and one PC.

 

 

interface GigabitEthernet2/0/20
switchport access vlan 11
switchport mode access
switchport voice vlan 111
ip flow monitor NETFLOW-TRAFFIC input
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy input Marking

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎07-07-2018 03:15 PM

Hi,

Restrict mode just generate a syslog entry but does not showdown the port.

If you don't want to see these messages in the logs, use replace.

link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/12-2_55_se/configuration/guide/3750escg/sw8021x.html

 

authentication violation shutdown | restrict | protect |replace }

or

dot1x violation-mode {shutdown | restrict | protect}

Configure the violation mode. The keywords have these meanings:

  • shutdown–Error disable the port.
  • restrict–Generate a syslog error.
  • protect–Drop packets from any new device that sends traffic to the port.
  • replace –Removes the current session and authenticates with the new host.

View solution in original post

1 Reply 1

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎07-07-2018 03:15 PM

Hi,

Restrict mode just generate a syslog entry but does not showdown the port.

If you don't want to see these messages in the logs, use replace.

link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/12-2_55_se/configuration/guide/3750escg/sw8021x.html

 

authentication violation shutdown | restrict | protect |replace }

or

dot1x violation-mode {shutdown | restrict | protect}

Configure the violation mode. The keywords have these meanings:

  • shutdown–Error disable the port.
  • restrict–Generate a syslog error.
  • protect–Drop packets from any new device that sends traffic to the port.
  • replace –Removes the current session and authenticates with the new host.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card