Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2420
Views
0
Helpful
0
Replies

Regarding "authentication violation shutdown" cmd of 12.2(53)SE2

ilmin
Level 1
Level 1

‎09-07-2010 01:08 AM - edited ‎03-06-2019 12:51 PM

Dear Experts,

I have a question about an authentication violation issue on Cat2960.

HW/SW:

- WS-C2960G-8TC-L

- c2960-lanbasek9-mz.122-53.SE2.bin

Issue:

According to the following document, by default authentication violation shutdown mode is enabled.

Also, if that was configured "shutdown" as a default, the port should be become err-disable when a new device connects to a port.

However, a port does not become "errdisable" even if it was connected to non-allowed device.

It become "errdisable" in "dot1x violation-mode shutdown" of IOS12.2(46)SE.

---------------------------------------------

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst2960/software/release/12.2_53_se/command/reference/cli1.html#wp11888832

Use the authentication violation interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.

By default authentication violation shutdown mode is enabled.

----------------------------------------------

My question is following.

Why does not it become "errdisable" in 12.2(53)SE2? Is this an expected behavior on 12.2(53)SE2?

To configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects it, do we still need to configure the port?

Below is the configuration.

'authentication violation shutdown' cmd is invisible because of default.

=================================================

aaa new-model

!

!

aaa authentication login default line

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

dot1x system-auth-control

errdisable detect cause security-violation shutdown vlan

errdisable recovery cause security-violation

!

interface GigabitEthernet0/1

description 1x Access Port

switchport mode access

switchport nonegotiate

authentication port-control auto

authentication periodic

authentication timer reauthenticate 43200

mab eap

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 1

no cdp enable

spanning-tree portfast

=================================================

If you have any questions regarding the content, please let me know.

Thank you very much for you help!

Regards,

Ilhong.

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card