dot1.x port errdisables

gcook0001 · ‎10-25-2021

I currently have the following setup mostly working.

If I have a computer plugged into the phone and then plug the phone in to the network everything works.

I plug my phone in and it is put on the voice vlan.

The computer that plugs in to the phone does one of two things. If it authenticates it is put on our main vlan. If it doesn't authenticate it is put on the guest vlan.

The part I am having an issue with is if the phone is plugged in and working and then I plug in a computer the port errdisables. I shut/no shut the port and everything comes up as expected. So the only issue I have left to figure out is why when I plug a computer in the phone while it is up it causes an errdisable.

switch: cataylst 9407r - version 17.3

service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template GUEST_VLAN_EAP-TLS
vlan 307
service-template AUTH_FAIL_VLAN_EAP-TLS
vlan 307
service-template SSMIC
vlan 290
service-template CRITICAL-VOICE
voice vlan

policy-map type control subscriber POLICY_EAP_TLS_2
event authentication-failure match-first
10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure
10 activate service-template CRITICAL-VOICE
30 authorize
40 pause reauthentication
20 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure
10 pause reauthentication
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 activate service-template GUEST_VLAN_EAP-TLS
30 authorize
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

interface GigabitEthernet2/0/21
description Gord Desk
switchport access vlan 290
switchport mode access
switchport voice vlan 301
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab eap
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 1
spanning-tree portfast
service-policy type control subscriber POLICY_EAP-TLS
end

balaji.bandi · ‎10-25-2021

this is the example we use and working one : (hope this helps you)

switchport access vlan 2***

switchport mode access

switchport voice vlan 3***

no logging event link-status

authentication event fail action next-method

authentication event server dead action authorize vlan 2***

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 3

no mdix auto

spanning-tree portfast

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gcook0001 · ‎10-25-2021

Thanks except this solution doesn't allow for failover to a guest network when unauthorized. That is a requirement for us.

marce1000 · ‎10-25-2021

- Post log-entry when port gets disabled , addition reason for disabling the port may be included then too

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

gcook0001 · ‎10-25-2021

Oct 25 13:04:10 UTC: %PM-4-ERR_DISABLE: security-violation error detected on Gi2/0/21, putting Gi2/0/21 in err-disable state
Oct 25 13:04:10 UTC: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/21, new MAC address (5cb9.01ab.30ae) is seen.AuditSessionID Unassigned
Oct 25 13:04:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/21, changed state to down
Oct 25 13:04:12 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/21, changed state to down

marce1000 · ‎10-25-2021

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCto61364

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

gcook0001 · ‎10-26-2021

Thanks everyone. The comments have helped me in the right direction. I have made significant changes since the original post based on the comments.

balaji.bandi · ‎10-26-2021

is that resolved ? so tell us the solution and mark as resolved if this was resolved ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gcook0001 · ‎10-27-2021

No it is not resolved. After reviewing the responses I realized I was making a few mistakes and am in the process of correcting them and getting this to work.