Security

Hello

I have an issue that some of Cisco switch ports get Err-disabled after configure it with ClearPass and the log is "Security-violation"

Here is the port configuration:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req10
dot1x max-reauth-req 10
spanning-tree portfast

Apprieacite your help

Thanks

Do you have port-security configured at all? Check this out for err-disable: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html


------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Sep 07, 2022 03:03 AM
From: Mahmoud Marie
Subject: Get port err-disabled after configuring the Clearpass with cisco switch

Hello

I have an issue that some of Cisco switch ports get Err-disabled after configure it with ClearPass and the log is "Security-violation"

Here is the port configuration:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req10
dot1x max-reauth-req 10
spanning-tree portfast

Apprieacite your help

Thanks

We've run into this before - I'm not sure the default option for Cisco, but the "host-mode" config could be playing a role. I know for us, we do host-mode as multi-domain, meaning we assign 1 device into the Prod VLAN and 1 device to the voice VLAN on the same port. There's an alternate option called "multi-host" which allows multiple of the same VLAN assignment on the same port. If you're trying to authenticate 2 devices into Prod on the same port, try defining multi-host instead and see if it helps.

------------------------------
Michael Haring
------------------------------

Original Message:
Sent: Sep 07, 2022 03:03 AM
From: Mahmoud Marie
Subject: Get port err-disabled after configuring the Clearpass with cisco switch

Hello

I have an issue that some of Cisco switch ports get Err-disabled after configure it with ClearPass and the log is "Security-violation"

Here is the port configuration:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req10
dot1x max-reauth-req 10
spanning-tree portfast

Apprieacite your help

Thanks

Hi, like mharing said it could be the mode in the 802.1x configruation. Here are the definitions:

By default, a switchport will only allow a single host to be authenticated at a time. However, this behavior can be altered by changing the switchport host mode. There are a number of different host modes that are supported; these include:

• Single-host-This is the default host mode. While in this mode, the switchport will only allow a single host to be authenticated and to pass traffic at a time
• Multi-auth-While in this mode, multiple devices are allowed to independently authenticate through the same port.
• Multi-domain-While in this mode, the authenticator will allow one host from the data domain and one from the voice domain; this is a typical configuration on switchports with IP phones connected.
• Multi-host-While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently; if the authenticated device becomes authorized the switchport will be closed.

Note that, the supported modes will vary with different OS

If the switch sees another mac in either domain for multi-domain or another mac in single-host (like a phone and a laptop) it'll trigger  err-disabled

Hope hits helps
Original Message:
Sent: Sep 07, 2022 03:03 AM
From: Mahmoud Marie
Subject: Get port err-disabled after configuring the Clearpass with cisco switch

Hello

I have an issue that some of Cisco switch ports get Err-disabled after configure it with ClearPass and the log is "Security-violation"

Here is the port configuration:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req10
dot1x max-reauth-req 10
spanning-tree portfast

Apprieacite your help

Thanks

A hub (unmanaged switch) connecting to the switch port also causing this err-disabled issue.
Original Message:
Sent: Sep 07, 2022 03:03 AM
From: Mahmoud Marie
Subject: Get port err-disabled after configuring the Clearpass with cisco switch

Hello

I have an issue that some of Cisco switch ports get Err-disabled after configure it with ClearPass and the log is "Security-violation"

Here is the port configuration:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req10
dot1x max-reauth-req 10
spanning-tree portfast

Apprieacite your help

Thanks