cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
887
Views
15
Helpful
8
Replies

dot1.x port errdisables

gcook0001
Level 1
Level 1

I currently have the following setup mostly working.

If I have a computer plugged into the phone and then plug the phone in to the network everything works.

I plug my phone in and it is put on the voice vlan.

The computer that plugs in to the phone does one of two things.  If it authenticates it is put on our main vlan.   If it doesn't authenticate it is put on the guest vlan.

The part I am having an issue with is if the phone is plugged in and working and then I plug in a computer the port errdisables.  I shut/no shut the port and everything comes up as expected.  So the only issue I have left to figure out is why when I plug a computer in the phone while it is up it causes an errdisable.

 

switch: cataylst 9407r - version 17.3

 

service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template GUEST_VLAN_EAP-TLS
vlan 307
service-template AUTH_FAIL_VLAN_EAP-TLS
vlan 307
service-template SSMIC
vlan 290
service-template CRITICAL-VOICE
voice vlan

policy-map type control subscriber POLICY_EAP_TLS_2
event authentication-failure match-first
10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure
10 activate service-template CRITICAL-VOICE
30 authorize
40 pause reauthentication
20 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure
10 pause reauthentication
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 activate service-template GUEST_VLAN_EAP-TLS
30 authorize
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

 

interface GigabitEthernet2/0/21
description Gord Desk
switchport access vlan 290
switchport mode access
switchport voice vlan 301
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab eap
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 1
spanning-tree portfast
service-policy type control subscriber POLICY_EAP-TLS
end

 

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

this is the example we use and working one : (hope this helps you)

 

switchport access vlan 2***

 switchport mode access

 switchport voice vlan 3***

 no logging event link-status

 authentication event fail action next-method

 authentication event server dead action authorize vlan 2***

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-domain

 authentication open

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 3

 no mdix auto

 spanning-tree portfast

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks except this solution doesn't allow for failover to a guest network when unauthorized.   That is a requirement for us.

marce1000
VIP
VIP

 

 - Post log-entry when port gets disabled , addition reason for disabling the port  may be included then too

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Oct 25 13:04:10 UTC: %PM-4-ERR_DISABLE: security-violation error detected on Gi2/0/21, putting Gi2/0/21 in err-disable state
Oct 25 13:04:10 UTC: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet2/0/21, new MAC address (5cb9.01ab.30ae) is seen.AuditSessionID Unassigned
Oct 25 13:04:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/21, changed state to down
Oct 25 13:04:12 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/21, changed state to down

 

   - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCto61364

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

gcook0001
Level 1
Level 1

Thanks everyone.   The comments have helped me in the right direction.  I have made significant changes since the original post based on the comments.   

is that resolved ?  so tell us the solution and mark as resolved if this was resolved ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

No it is not resolved.   After reviewing the responses I realized I was making a few mistakes and am in the process of correcting them and getting this to work.

Review Cisco Networking for a $25 gift card