Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

15.0(2), dot1x, Cisco Phone and PC behind phone

Maybe someone experienced this issue and has an idea...

(<Text> means I replaced the Text there )

We have a pc behind phone configuration running in combination with dot1x.

Running configuration on the switch:

authentication event fail action authorize vlan <vlan>

authentication event no-response action authorize vlan <vlan>

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x timeout supp-timeout 10

dot1x max-reauth-req 1

As the PC is not authenticated by our radius-server, it falls back to Unknown Mac

Jul 12 07:02:35: %AUTHMGR-5-SUCCESS: Authorization succeeded for client  (Unknown MAC) on Interface <Interface> AuditSessionID  <SessionID>

show authentication sessions

Interface  MAC Address     Method   Domain   Status         Session ID

<Interface>      (unknown)       N/A      DATA     Authz Success  <PCSessionID>

<Interface>      <PhoneMac> dot1x    VOICE    Authz Success  <PhoneSessionID>

Running version 12.2(55) the pc tried to authenticate once when connected, only the phone itself reauthenticated once an hour.

After Upgrading to 15.0(2)SE2 or 15.0(2)SE4 the PC also tries to reauthenticate after reauthenticating the phone after 1 hour

Jul 12 14:15:16: %DOT1X-5-SUCCESS: Authentication successful for client  (<PhoneMac>) on Interface <Interface> AuditSessionID  <PhoneSessionID>

Jul 12 14:15:16: %AUTHMGR-7-RESULT: Authentication result 'success' from  'dot1x' for client (<PhoneMac>) on Interface <Interface>  AuditSessionID <PhoneSessionID>

Jul 12 14:15:17: %AUTHMGR-5-START: Starting 'dot1x' for client  (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>

Jul 12 14:15:17: %AUTHMGR-5-SUCCESS: Authorization succeeded for client  (<PhoneMac>) on Interface <Interface> AuditSessionID <PhoneSessionID>

Jul 12 14:15:27: %DOT1X-5-FAIL: Authentication failed for client  (<PCMac>) on Interface <Interface> AuditSessionID  <PCSessionID>

Jul 12 14:15:27: %AUTHMGR-7-RESULT: Authentication result 'no-response'  from 'dot1x' for client (<PCMac>) on Interface <Interface>  AuditSessionID <PCSessionID>

Jul 12 14:15:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for  client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>

Jul 12 14:15:27: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication  methods for client (<PCMac>) on Interface <Interface> AuditSessionID <PCSessionID>

Unfortunately the switch recognizes this as a security violation and shuts down the port

Jul 12 14:15:27: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on  the interface <Interface>, new MAC address (<PCMac>) is  seen.AuditSessionID  <PCSession>

Jul 12 14:15:27: %PM-4-ERR_DISABLE: security-violation error detected on <Interface> putting <Interface> in err-disable state

Thanks in advance

1 REPLY
New Member

15.0(2), dot1x, Cisco Phone and PC behind phone

As no one seems to have an answer again, I changed to the "authentication violation replace"-command, but I'm not that happy with it.

263
Views
0
Helpful
1
Replies
CreatePlease login to create content