Guest

Preview Tool

Cisco Bug: CSCtc80481 - %AUTHMGR-5-SECURITY_VIOLATION seen when PC connected with Avaya phone

Last Modified

Feb 20, 2018

Products (14)

  • Cisco IOS
  • Cisco Catalyst 4500 Series Supervisor Engine V-10GE
  • Cisco Catalyst 4500 Series Supervisor Engine II-Plus-TS
  • Cisco Catalyst 4948 10 Gigabit Ethernet Switch
  • Cisco Catalyst 4928 10 Gigabit Ethernet Switch
  • Cisco ME 4924-10GE Switch
  • Cisco Catalyst 4948 Switch
  • Cisco Catalyst 4500 Series Supervisor Engine II-Plus
  • Cisco Catalyst 4500 Supervisor Engine 6-E
  • Cisco Catalyst 4000/4500 Supervisor Engine IV
View all products in Bug Search Tool Login Required

Known Affected Releases

12.2(52)SG

Description (partial)

Symptom:

On a Catalyst 4500 switch, when 802.1x and MDA are configured on a switch port to authenticate a 3rd party IP phone, inserting a 802.1x Avaya 9650 IP phone and a PC behind it may trigger a security violation.

Conditions:

The violation is triggered when the phone sends a DHCP request on the data vlan (untagged), after the phone is authenticated on the voice vlan.

This is an expected behavior on cat4k platform. Security violation is the correct action to take. If packet is received on data vlan, it is a security violation because the phone is authenticated on the voice vlan.

Reason for the phone sending DHCP request is-- Avaya phone, by default sends a DHCP request on the data vlan if it fails to receive an IP address on the voice vlan after 60 seconds. There is a config option (VLAN_TEST) on Avaya. By default VLAN_TEST is set to 60, meaning if phone is not able to reeceive an IP address within 60 secs, phone will send an untagged DHCP request packet to data vlan. If VLAN_TEST=0,the phone will never send packets on the data vlan. There is no security violation and Phone is able to get IP address after sometime.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.