I changed the port with 'authentication violation restrict' to prevent the port from shutting when the second data mac is noticed. According to my understanding the switch will drop the data traffic on this port anyway, but the authentications are still occurring to ClearPass.
I added a catch to my service to send our devices to the 'Cisco-AVPair' 'device-traffic-class=voice' while still waiting for profile.
This caused an error because I tried to use the same vlan to profile the phone and the data which is apparently not acceptable, so I opted to change my port config rather than spinning up a new VLAN for the phone. I could have gone either way with that. This has worked to keep my port in multi-domain instead of switching to multi-auth. Most of this work is unnecessary if the phone is already profiles and able to be put directly to a voice vlan.
Original Message:
Sent: Jul 11, 2025 09:25 AM
From: StrikerTS
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
I was able to verify the phone and the computer are being profiles on the data domain out of the date. It fully make sense since they phone is not told it's on the voice domain until after the profiling is finished.
So far I have been unable to find a way to issue the voice setting to the phone out of the gate. The port is shutting as soon as the phone boots and shows its mac to the port.
I still have not figured out why the switch is shutting the port. I am not running port security on that port. I was hoping to find a way to delay the shut for 60 seconds or so, that would likely be enough time for the phone profile and be put onto a voice domain.
Would switching to multi-auth be a bad idea? I'm not sure if there are negative impacts on doing that with a non network device port.
Original Message:
Sent: Jul 09, 2025 05:48 PM
From: vigan
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
Next step is just so check the authentication sessions if both the Phone and PC are being marked in the same DATA domain.
The command in ibsn 1.0 i believe is:
show authentication session int Gi1/0/11
and/or:
show authentication session int Gi1/0/11 detail
You can have a look at these and then figure out the next move.
If that is the case that both the PC and Phone are being marked in the same DATA domain, then you should maybe put a different profiling VLAN just for phones where you profile them with a different VLAN not in the same profiling VLAN as all of the devices.
Something else you can play around with is a dACL, until the device fully profiled you can leave on the same VLAN w/ dACL> profile them > CoA > same VLAN w/o a dACL.
Maybe that way you can eliminate the problem of pushing the port on err-disable until the device is being profiled.
Original Message:
Sent: Jul 09, 2025 05:32 PM
From: StrikerTS
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
I was wondering if this could be the cause. Currently we have the devices his a "Profiling" vlan to gather information. Once the phone is profiles as a phone, it gets the device traffic class voice issues to it with it's final settings. Would it be prudent to capture the phone earlier in the process to switch the avpair setting?
Original Message:
Sent: Jul 09, 2025 05:22 PM
From: vigan
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
It is worthy to note as well that in authentication host-mode multi-domain a second mac-address on each of the domains WILL cause a security violation hence the err-disable.
So if your pushing your VLANs from CPASS to your switch, this is what the Enforcement Profile that you push to your phones should look like:
Note the RADIUS:Cisco Cisco-AVPair= device-traffic-class=voice being push to class the device to the VOICE domain instead of the DATA domain.
Original Message:
Sent: Jul 09, 2025 04:14 PM
From: vigan
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
The port config looks correct, that is kind of the same template that we used on our deployments with ibsn 1.0.
In our environment though changing the priority and order did the trick maybe you can give it a try see if it works.
Try modifying this:
authentication order dot1x mab
authentication priority dot1x mab
To this:
authentication order mab dot1x
authentication priority mab dot1x
Maybe this will do the trick, since the IP phone will authenticate first using mac auth, and then afterwards the PC will authenticate using 1x, maybe this MIGHT be confusing the switch and pushing the port to err-disable.
Give this a try hopefully it fixes it.
Original Message:
Sent: Jul 09, 2025 03:56 PM
From: StrikerTS
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
I have been using shut / no shut to test changes. Sadly they results were consistent. Here is the error:
ERR_DISABLE: security-violation error detected on Gi1/0/11, putting Gi1/0/11 in err-disable state
AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/11, new MAC address
From this config:
switchport access vlan 500
switchport mode access
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
From the ClearPass side i can see the computer first try to use mac auth instead of defaulting to 802.1x then, when the phone tries to use a mac auth the port shuts seeing the second mac.
Original Message:
Sent: Jul 09, 2025 01:44 PM
From: Vigan Bytyqi
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
Usually, the reasons a catalyst switch can go into Errdisable mode and shutdown a port are many and include:
Duplex Mismatch
Loopback Error
Link Flapping (up/down)
Port Security Violation
Unicast Flodding
UDLD Failure
Broadcast Storms
BPDU Guard
Maybe this can give you a glimpse of whats going on.
Have you also tried a simple shut/no shut on the port, and if yes does it persist with the issue.
You can also try clear mac-address table dynamic maybe that can solve the issue.
Original Message:
Sent: Jul 09, 2025 01:30 PM
From: StrikerTS
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
I have not switched to IBNS 2.0 yet, though I was planning to do so after I finished this stage of my deployment (to address Access Points).
I double checked by switch and currently dhcp snooping is disabled, would that still effect my port in this state?
Switch DHCP snooping is disabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
Proxy bridge is configured on following VLANs:
none
Proxy bridge is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: acbc.d952.3380 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
Original Message:
Sent: Jul 09, 2025 01:15 PM
From: vigan
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
It seems like the problem might be related to the maximum MAC address limit allowed per port on your Cisco switch, particularly if you're using IBNS 2.0. When running a multi-domain configuration with both a VOIP phone and a connected PC, it's important to ensure that the port configuration accommodates the necessary number of MAC addresses.
To address this, try configuring the following command on your Cisco switch port
depending on your IBNS 2.0 setup, you might be using:
ip dhcp snooping limit rate 3
This ensures that your switch port can handle multiple MAC addresses (phone, PC, and potentially another device if needed) without triggering an error state. Additionally, make sure your ClearPass enforcement policy allows sending COA events dynamically without manual intervention.
Had this issue a while back and the above command solved it, but again it varies on what type of cisco switches your using, ibsn version etc.
Let me know if this helps.
Cheers,
Vigan
Original Message:
Sent: Jul 09, 2025 12:29 PM
From: StrikerTS
Subject: Clearpass VOIP Phone with host-mode Multi-Domain
Hello All,
I find most answers in this forums, but have struck out finding any more hints on this subject. Our clearpass is up and running or most scenarios. I am setting up the first network port that has a computer (802.1x) plugged in through a phone (MAB). Our initial implementation has success during testing by setting the (Cisco Switch) port to 'authentication host-mode multi-domain'.
When I tried to roll this setting out to a new location today the port keeps being put into an error state due to multiple mac addresses. I have determined:
- The authentication host-mode multi-domain works for this type of setup if the phone has already been profiled.
- Switching from multi-domain to multi-auth will prevent the port from shutting, and allow the phone to profile properly, but only if I manually send reauth COA events twice.
- The phones do just fine with identical settings (multi-domain) if there is no computer plugged into the port.
- The computers do just fine with these settings with no phone on the port.
Am I misusing Mutli-Domain? I know the intention is for both devices but I'm struggling to see a missing piece.