Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5987
Views
0
Helpful
7
Replies

802.1x port security violation

tedauction
Level 1
Level 1

‎08-03-2017 01:38 PM - edited ‎03-08-2019 11:36 AM

Hello, I have just implemented dot1x wired configuration on my 'WS-C2960X-48FPD-L  15.0(2)EX4'. I am authenticating a phone via MAB and a connected computer via 802.1x computer authentication via a Windows NPS RADIUS server.

It is working fine apart from strange '%AUTHMGR-5-SECURITY_VIOLATION' events which shut the port down every time.

This is a summary of what occurs:
- computer d481.d7b7.1c04 authenticates succssfully via dot1x.
- security violation occurs.
- interface comes back up immediately
- authentication begins for computer d481.d7b7.1c04 via MAB and fails (expected)
- fails over to dot1x authentication for computer d481.d7b7.1c04 again. Seems to timeout
- MAB authentication begins for phone 0025.8416.b904 and is successful.
- dot1x authentication begins again for computer d481.d7b7.1c04. Seems to timeout then suceeds again.
- port security violation triggers again and shuts down port permanently.
Here is the port configuration:
interface GigabitEthernet1/0/16
description DOT1X_TEST
switchport access vlan 58
switchport mode access
switchport voice vlan 158
switchport port-security maximum 100
ip flow monitor NETFLOW-TRAFFIC sampler NETFLOW-SAMPLER input
srr-queue bandwidth share 1 20 20 60
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy input Marking
end
I have attached the complete logs of the events outlined above i.e. a port undergoing successful authentication of the phone and computer but then shutting down with a security violation:
2 people had this problem
Labels:
Preview file
101 KB
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎08-05-2017 09:40 AM

Hi,

I don't see anything obviously wrong. The IOS version 'WS-C2960X-48FPD-L  15.0(2)EX4' you are using is old and appears to be a deferred release, obviously issues with that release of code, so perhaps worth upgrading to a newer version.

Other than that the port security command you have configured "switchport port-security maximum 100" which won't be doing anything as port security isn't be enabled. If you were intending to use port security there'd be no need as the command "authentication host-mode multi-domain" only permits 1 voice and 1 data authenticated devices anyway. You may want to add the command " authentication violation restrict|shutdown|replace|protect" which would take an action when a new device connects to a port after the maximum number of devices are connected to that port.

HTH

0 Helpful

paul driver
VIP
VIP

‎08-05-2017 11:16 AM

Hello

Could be possible ios bug  CSCto61364

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

charlesjaynes
Level 1
Level 1

‎11-20-2017 10:19 AM

I'm also having this problem. I can confirm that the AV pair device-traffic-class=voice is being issued by ISE and received at the switch. The workstation hits my policy for workstations and the phone hits the Cisco-IP-Phone authorization policy.

 

If I configure the port for "authentication host-mode multi-host" then both devices work but in the show authentication session output I only see the workstation in the DATA domain, no entry for the phone.

0 Helpful

MEB
Level 1
Level 1

‎02-27-2018 07:37 AM

Hi...Any Luck in Solving such issues As i am suffering from a very Similar one 

Below is the associated discussion 

************************

https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548

***************************

Bregards

0 Helpful

charlesjaynes
Level 1
Level 1
In response to MEB

‎02-27-2018 08:31 AM

My issue was that I was missing a simple "aaa authorization network" command in my config which would allow ISE to move the phone into the voice domain through CoA. Now each device shows up in the correct domain with "authentication host multi-domain" configured.

0 Helpful

MEB
Level 1
Level 1
In response to charlesjaynes

‎02-27-2018 08:40 AM

Hi ..Thx for your reply

by "aaa authorization network" you mean the global AAA commands layout ?

I am having

"aaa authorization network default group radius if-authenticated " configured Globally
0 Helpful

charlesjaynes
Level 1
Level 1
In response to MEB

‎02-27-2018 09:22 AM

.EmailQuote { PADDING-LEFT: 4pt; MARGIN-LEFT: 1pt; BORDER-LEFT: #800000 2px solid } DIV.PlainText { FONT-SIZE: 120%; FONT-FAMILY: monospace } P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px }

Correct. This is the command I'm talking about. Mine references a custom RADIUS server group, but same idea.
0 Helpful
Customers Also Viewed These Support Documents