802.1x configuration

marccosta · ‎06-30-2008

I have a problem with with a following topology:

Switch 3560 as desktop connection

Avaya IP telephone 96xx Series with 802.1x

Worstation with 802.1x configure

The IP telephone and the workstation have the 802.1x authentication configured. In the first it is al is working. The problem is when a disconnected the first workstation that is working and connected a workstation that don't authorized to access the network. The 802.1x is working perfect, as such as, this workstation appers with drop. But when a return the first workstation on the switch its put the port in error-disable with a following msg:"%DOT1X-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/1, new MAC address 0016.4179.1592 is seen.

01:32:47: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/1, putting Fa0/1 in err-disable state, and communication with the IP phone and workstation.

I need to know how to resolve this situation

Following the configuation tha I used:

++++++++++++++++++++++++++++++++++++++++++++++++

3560:

aaa new-model

aaa authentication login default none

aaa authentication dot1x default group radius

aaa authorization network default group radius

dot1x system-auth-control

interface FastEthernet0/1

switchport access vlan 118

switchport mode access

switchport voice vlan 302

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

priority-queue out

mls qos trust cos

auto qos voip trust

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x timeout reauth-period 30

spanning-tree portfast

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport trunk native vlan 118

switchport trunk allowed vlan 118,302

switchport mode trunk

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

priority-queue out

mls qos trust cos

auto qos voip trust

radius-server host 180.188.188.50 auth-port 1645 acct-port 1646 key xxx

radius-server source-ports 1645-1646

+++++++++++++++++++++++++++++++++++++++++++++++++

Thanks regards

aghaznavi · ‎07-04-2008

Ensure that the interface is configured to support the number of attached hosts. Enter the shutdown interface configuration command and then the no shutdown interface configuration command to restart the port.

andrew.butterworth · ‎07-04-2008

Cisco IP Phones have a '802.1x Proxy Disconnect' feature that 'snoops' 802.1x messages and will send a 802.1x disconnect to thw switchport oh behalf of the attached (now not attached..) 802.1x supplicant if the PC port is disconnected. This was added a while ago in most IP Phone firmware. Check to see if Avaya have implemented a similar feature, if not then you are a bit stuck. You could drop the timers down however it could get messy...

Andy

marccosta · ‎07-04-2008

Hi Andy,

Thanks for attention. I'll to check with Avaya about the configuration, but a I belive that this is implemented. I'd like to know, based in the configuration tha I show you, how to configure to drop the timers, wich you told me ?

Tks

Marcelo

andrew.butterworth · ‎07-04-2008

You need to enable 802.1x re-authentication and either configure a re-authentication timer or push the timer from the RADIUS server.

interface FastEthernet0/2

dot1x reauthentication

dot1x timeout reauth-period

If you push the timer from RADIUS you need to send the Session-Timeout attribute (27) with a valid time period.

HTH

Andy