Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE error disable interface


Dears
After configuring DOT1x on access ports , some ports show error disabled without enabling the port-security , is their any way to increase the number of MAC addresses allowed on the port ? , is it possible to disable this feature


Sent from Cisco Technical Support iPhone App

3 REPLIES
New Member

ISE error disable interface

Hi,

Sent us the show run commands of interfaces.

Cheers

Pankaj

New Member

ISE error disable interface

here you are

interface GigabitEthernet1/0/2

switchport mode access

switchport voice vlan 91

authentication event fail action next-method

authentication event server dead action reinitialize vlan 184

authentication event server dead action authorize voice

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

Cisco Employee

Re: ISE error disable interface

Hi Eng.malak,

The port config provided by you the interface GigabitEthernet1/0/2 is configured for MDA that means an IP phone and a single host behind the IP phone are authenticated independently, even though both the IP phone and host machine are connected to a single switch port on the switch. If more than once device is detected in either domain, a security violation will be triggered. This can be a problem when a phone fails to authenticate properly. If a phone fails authentication, then the switch does not receive the "device-traffic-class=voice" VSA from the radius server and the switch will assume that the failed device was in the data domain. However if there is already a data device behind the phone, there will be now 2 devices in the data domain, and a security violation is triggered.  On this port only 2 MAC addresses are allowed. The switch place the client machine in a data vlan and the IP phone in a voice vlan. 

Configure the violation mode. The keywords have these meanings:

authentication violation shutdown | restrict | protect | replace}

•shutdown-Error disable the port.

•restrict-Generate a syslog error.

•protect-Drop packets from any new device that sends traffic to the port.

•replace-Removes the current session and authenticates with the new host.

Configuring 802.1x Violation Modes

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1324086

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
556
Views
0
Helpful
3
Replies
CreatePlease login to create content