06-30-2008 06:17 PM - edited 03-05-2019 11:54 PM
I have a problem with with a following topology:
Switch 3560 as desktop connection
Avaya IP telephone 96xx Series with 802.1x
Worstation with 802.1x configure
The IP telephone and the workstation have the 802.1x authentication configured. In the first it is al is working. The problem is when a disconnected the first workstation that is working and connected a workstation that don't authorized to access the network. The 802.1x is working perfect, as such as, this workstation appers with drop. But when a return the first workstation on the switch its put the port in error-disable with a following msg:"%DOT1X-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/1, new MAC address 0016.4179.1592 is seen.
01:32:47: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/1, putting Fa0/1 in err-disable state, and communication with the IP phone and workstation.
I need to know how to resolve this situation
Following the configuation tha I used:
++++++++++++++++++++++++++++++++++++++++++++++++
3560:
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan 118
switchport mode access
switchport voice vlan 302
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout reauth-period 30
spanning-tree portfast
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk native vlan 118
switchport trunk allowed vlan 118,302
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust cos
auto qos voip trust
radius-server host 180.188.188.50 auth-port 1645 acct-port 1646 key xxx
radius-server source-ports 1645-1646
+++++++++++++++++++++++++++++++++++++++++++++++++
Thanks regards
07-04-2008 06:02 AM
Ensure that the interface is configured to support the number of attached hosts. Enter the shutdown interface configuration command and then the no shutdown interface configuration command to restart the port.
07-04-2008 06:39 AM
Cisco IP Phones have a '802.1x Proxy Disconnect' feature that 'snoops' 802.1x messages and will send a 802.1x disconnect to thw switchport oh behalf of the attached (now not attached..) 802.1x supplicant if the PC port is disconnected. This was added a while ago in most IP Phone firmware. Check to see if Avaya have implemented a similar feature, if not then you are a bit stuck. You could drop the timers down however it could get messy...
Andy
07-04-2008 09:42 AM
Hi Andy,
Thanks for attention. I'll to check with Avaya about the configuration, but a I belive that this is implemented. I'd like to know, based in the configuration tha I show you, how to configure to drop the timers, wich you told me ?
Tks
Marcelo
07-04-2008 10:51 AM
You need to enable 802.1x re-authentication and either configure a re-authentication timer or push the timer from the RADIUS server.
interface FastEthernet0/2
dot1x reauthentication
dot1x timeout reauth-period
If you push the timer from RADIUS you need to send the Session-Timeout attribute (27) with a valid time period.
HTH
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide