dot1x and port-security do not mix (or do they?)

 | 21 Sep 2006 15:02

[Cisco] IEEE 802.1X cannot be enabled on the port security enabled-port.

Sep 21 12:47:00.223: %LINK-3-UPDOWN: Interface GigabitEthernet2/6, changed state to up
Sep 21 12:47:01.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/6, changed state to up
Sep 21 12:47:20.198: %DOT1X-5-SECURITY_VIOLATION: Security violation on interface GigabitEthernet2/6, New MAC address 0012.3f09.3840 is seen on the interface in mode
Sep 21 12:47:20.198: %PM-4-ERR_DISABLE: security-violation error detected on Gi2/6, putting Gi2/6 in err-disable state
Sep 21 12:47:21.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/6, changed state to down
Sep 21 12:47:22.202: %LINK-3-UPDOWN: Interface GigabitEthernet2/6, changed state to down

Nice of CLI to state what mode it has trouble with!

Just found this on CCO

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

Now what happens when I use VoIP and plug my pc into the phone? The phone is compatible with CDP and as such is allowed into the voice vlan, the PC does dot1x and is allowed access by user credentials. However port-security will set the port to err-disabled due to something related to the phone:

Sep 21 14:49:57.550: PSECURE: swidb = GigabitEthernet2/6 mac_addr = 0800.0f1e.f7ad vlanid = 40
Sep 21 14:49:57.550: PSECURE: Adding 0800.0f1e.f7ad as dynamic on port Gi2/6 for vlan 40
Sep 21 14:49:57.550: PSECURE: Violation/duplicate detected upon receiving 0800.0f1e.f7ad on vlan 40: port_num_addrs 1 port_max_addrs 1 vlan_addr_ct 0: vlan_addr_max 2 total_addrs 0: max_total_addrs 3072
Sep 21 14:49:57.550: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0800.0f1e.f7ad on port GigabitEthernet2/6.
Sep 21 14:49:57.550: PSECURE: Security violation, TrapCount:33

One needs all three lines (if-config) if one wants to be propperly secure (this works btw):

switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict

The restrict is to leave the phone working when a pc is denied access, nice DOS otherwise to down all phones in sight…

No Responses to “dot1x and port-security do not mix (or do they?)”