Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2130
Views
0
Helpful
2
Replies

802.1x not working

kacwilso
Level 1
Level 1

‎06-13-2011 09:57 AM - edited ‎03-07-2019 12:47 AM

I am trying to setup 802.1x on a 2960 running 12.2.53 SE2.

Here is the configuration of the interface:

interface GigabitEthernet1/0/9
switchport access vlan 205
switchport mode access
switchport nonegotiate
authentication event fail action authorize vlan 205
authentication event no-response action authorize vlan 205
authentication host-mode multi-host   
authentication order dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
end

show dot1x all summary

Interface       PAE     Client          Status         

--------------------------------------------------------

Gi1/0/9         AUTH    001b.4f58.91d1  AUTHORIZED

But I am getting this message in the log when the phone tries and connect to the port

Jun 13 09:54:35.876 MDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Gi1/0/9, new MAC address (1cc1.de59.2fbc) is seen.AuditSessionID  Unassigned

The host-mode multi-host command does not appear to be working.  The user has allready authenticated so anything else should be able to connect to that interface..

Any suggestions?

Labels:
0 Helpful
2 Replies 2

bravotom99
Level 1
Level 1

‎10-17-2014 07:12 PM

I know this thread is very old but did you ever find an answer to this issue?  I am seeing something very similar with the seen.AuditSessionID  Unassigned error

0 Helpful

duanetoler
Level 1
Level 1
In response to bravotom99

‎11-12-2014 08:36 AM

Your RADIUS server needs to send the VSA Cisco-AV-Pair "device-traffic-class=voice" so that the switch puts the switch port into the voice domain to activate the Voice VLAN from the phones.  Having your phones fall to the data domain is a classic problem of the missing VSA.  Additionally, you want to have the switch port fail open for voice devices to "save the phones" in a server-dead scenario as well as provide users with an option to get to the critical VLAN:

authentication event server dead action authorize vlan 205

authentication event server dead action authorize voice

If a RADIUS server fails to respond, the switch will authorize the static voice VLAN.

Don't do "authentication periodic" for with IP phones.  This can cause disruptions in an existing phone conversation as during authentication, the phone will lose network access until authentication succeeds (or a server dead event).

You will also want to provide a way to get users out of the auth-fail VLAN, guest VLAN, or critical VLAN (for you and I these are the same usually, your VLAN 205) if your dead server returns, and have the switch rerun dot1x:

authentication even server alive action reinit

 

Good luck!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card