Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1X Port Based Authentication Security Violation

I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.

Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED

Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED

Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state

Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down

Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.

The ports GI1/0./1 & Gi1/02 are configured thus:

interface GigabitEthernet1/0/1

switchport mode access

switchport voice vlan 20

authentication event fail action authorize vlan 4

authentication event no-response action authorize vlan 4

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

mls qos trust cos

dot1x pae authenticator

spanning-tree portfast

sh ver

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M

Full config attached. Assistance will be grately appreciated.

Donfrico

Everyone's tags (3)
2 REPLIES
New Member

802.1X Port Based Authentication Security Violation

Hi,

is your IP-Phone after authentication in the Voice-Vlan? Usually only 1 MAC ist allowed in Voice- and Data Vlan.

Can you post the result of  "show authentication sessions" .

Horst

802.1X Port Based Authentication Security Violation

I believe , you need to configure re-authentication on this switch port:


! Enable re-authentication

authentication periodic

! Enable re-authentication via RADIUS Session-Timeout

authentication timer reauthenticate server
572
Views
5
Helpful
2
Replies
CreatePlease to create content