802.1x Multi-Domain - Avaya Phone

Unanswered Question
Jan 11th, 2008

We are implementing Avaya IP Phones in 2960 switches with Cisco Multi-Domain Authentication but there is a strange behavior.

When the Phone is connected to the port of the switch, it puts the port in err-disable state (shutdown) and logs the following message:

05:24:35: %DOT1X-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address 0004.0de1.f533 is seen. f

05:24:35: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state

If a PC is connected to the port or the port is configured in single-host or multi-host mode there is no error but the customer need to use multi-domain to authenticate the PC and Phone.

Anyone see this? What could cause the errdisable state?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
HUBERT RESCH Wed, 01/16/2008 - 01:40

Hi, if you use MDA there is a maximum of 1 MAC-addresses authenticated per auhtentication domain (DATA, VOICE).

If both are authenticated PC in DATA and Phone in VOICE-Domain, and then the Phone is sending for example a packet untagged, so it appears in the DAT-domain. Because there is already the PC authenticated in the DATA-domain and a new MAC appears a security-violation occours and the port is err-disabled

hubert

Actions

This Discussion