802.1x with AD authentication in a wired environment

Similar Messages

• Intel Mac OS X can't connect using 802.1x with TTLS authentication

  To login at the wireless network on my school I use the following settings:
  802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
  My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
  On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
  Bug in the Intel version of Mac OS X I guess?

  Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
  What I cant understand is why they have changed the
  airport express card for the intel macs, albeit the
  processor has changed but that shouldn't affect the
  card as that should be processor
  The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
  In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
  Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

• 802.1x with EAP-TLS Fails on Wired

  Dear Colleagues,
  I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
  Setup :
  1. Radius Server - Cisco ACS 1113 Engine
  2. Authenticator - Cisco 6509 Switch
  3. Supplicant - Windows XP SP2/3
  Problem:
  1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
  Errors Seen:
  1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
  2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
  3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”
  Other Information:
  1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
  2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
  3. Clients have Certs issued by clients own CA infrastructure.
  4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
  5. PEAP works fine on wired.
  Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
  Thanks
  Volven

  Dear Colleagues,
  I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
  Setup :
  1. Radius Server - Cisco ACS 1113 Engine
  2. Authenticator - Cisco 6509 Switch
  3. Supplicant - Windows XP SP2/3
  Problem:
  1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
  Errors Seen:
  1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
  2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
  3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”
  Other Information:
  1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
  2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
  3. Clients have Certs issued by clients own CA infrastructure.
  4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
  5. PEAP works fine on wired.
  Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
  Thanks
  Volven

• Strange Issue with IIS authentication in Clustered BAM environment

  Here's my configuration:
  Cluster #1 - prbam01
  Node 1 pbm101
  Node 2 pbm102
  This cluster is running ADC, event service, enterprise link, and IIS (IIS up on both nodes)
  Cluster #2 - prbam02
  Node 1 pbm103
  This cluster is running report cache and IIS. End users will hit this IIS for reports, admin, etc.
  Problem:
  The IIS on cluster 1, node 1 (pbm101) will never authenticate when trying to access the BAM web pages with any URL (http://prbam01/oraclebam or http://pbm101/oraclebam). It exhibits this behaviour whether it is the active cluster node or not. Cluster 1, node 2 exhibits correct behaviour in that it works at URL http://pbm102/oraclebam at all times and at http://prbam01/oraclebam when it is the active node.
  I have check IIS security settings and they appear exactly the same on both boxes. ADC and everything else seems to be running ok when node 1 is the active node, just the BAM web pages do not authenticate.

  This seems to be an IIS specific problem on pbm101 alone.
  Did you check the directory security settings for the OracleBAM application on pbmbam101 ? Any of the authenticated access methods should be enabled, or users cannot access certain pages from the local network, since IIS would be using anonymous authenication. That would normally not be a problem, but for IE sending in credentials that will be different from the account on the IIS server used for anonymous access. I suggest copying the directory security settings from the other node in the cluster (for all directories!!).
  Another additional point is that IIS ultimately uses file and directory permissions to resolve access rights. So you can check the permissions on the public folders used by IIS and ASP.Net.

• Wireless 802.1x with Window 7

  I have a WLC 6.0,  ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication.   The clients are using Windows 7 to connect to wireless.     To get the clients connected they have to go into there network properties if the wireless card,  configure the client to use PEAP,  uncheck validate server certificate, and also uncheck use computer name to login into windows.  This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password.    The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect.  If wireless could also be setup to use  there windows username and password   would be a bonus.  I'm basically looking for a solution that is simple but is also secure as well.  I know that's an oxymoron.   Is there anything I could do to make the wireless process simpler.  Either by going with a different security authentication or by doing something different on the clients computers.   Thanks for any help and suggestions. 

  This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
  The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  https://sourceforge.net/projects/su1x/
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
  Features include:
  - Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
  - Can set EAP credentials without additional user interaction (avoids tooltip bubble)
  - Installation of a certificate (silent)
  - Checks for WPA2 compatibility and falls back to a WPA profile
  - Third party supplicant check -SSID removal and priority setting
  - Support tab: (checks: adapter, wzc service, profile presence, IP)
  - Outputs check results to user with tooltip and/or to file
  - Printer tab to add/remove networked printer
  This tool is very cleverly written by Gareth Ayres at Swansea University

• [WLAN] Use 802.1x with PEAP without Certificates?

  Hello there,
  is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable it

  On whitch device? You can set the autorithy certifacte to none or choose one from the list.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Windows 7 Home Premium with 802.1x problems with the Authentication

  We have problems with  OS Windows 7 Home Premium 802.1x, the message in ACS:
  EAP-TLS or PEAP authentication failed during SSL handshake
  ACS v4.1
  We have OS Windows 7 Professional and doesn´t have problems with the authentication.
  I hope that you can help me
  Regards

  We were investigated with specialist people of OS Windows and the conclusion was that the Home Premium Version has restrictions about authentication and domain (Active Directory). So we need change the version of OS (Proffessional for example).
  If you had another tip, please tell me and I try it for resolve this issue, if not we have to change the OS.
  Regards

• 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

  I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
  We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
  I push out the wireless client’s setting via group policy, and the clients are using WZC. 
  Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. 
  To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
  Many of our classrooms lack network drops, so wireless is the best for us. 
  Except for this one downfall, it is working great. Any help is appreciated.

  Hi Ryan,
  Thanks for posting here.
  Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. ”
    in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
  Only certain computers are facing this issue or all?
  What’s OS running on these client computers?
  According the situation right now , I’d like to share some suggections with you:
  1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
  the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
  click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
  of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
  2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
  event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
  dialog.
  3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
  settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
  4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
  an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
  if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
  If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
  authentication.
  5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
  authentication process the failure occurs.
  Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
  Windows Server 2003 Wireless Troubleshooting
  http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
  Troubleshooting Windows Vista 802.11 Wireless Connections
  http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
  Thanks.
  Tiger Li
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
  It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
  I checked if logging is turned on and I can see successful events from computers that are working. 
  I can also see failed events from computers that are not ours that tried to connect to our wireless. 
  However for the computers that are having this problem there are no logged events. 
  It is as if they don’t even communicate with the server. 
  Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
  I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
  I did notice that the firewall is also turned on through group policy when the domain is not available.
     Do you think the firewall is blocking the communication? 
  I added an exception to port 1812 UDP and this did not make a difference.

• HT4718 wpa2 enterprise 802.11x protocol with pap authentication.  Lion Reformat

  My school has only wpa2 enterprise 802.11x protocol with pap authentication.  Due to this I can not reinstall lion as a fresh copy.  I realized that I can download lion again from the app store.  Can it do a fresh install?

  I am having the exactly same problem as ecko04. I also tried to intall the certificate provided by my university but it failed. Could somebody help us out? Thanks

• 802.1x - Issue with command: authentication open

  The issue we are running into is that when we initially deployed 802.1x we had the command “authentication open” on all of our switch ports. We ran a CscoWorks job last week Thursday to remove that command from all of our ports. Since that time we have ran into a couple of weird issues where the device was powered up but the switch port would show notconnect when doing a show int status but the speed would show a-1000 and duplex would show a-full. There would be no mac address listed when doing a “show mac add int ‘interface’” and the device would be in the MAB running state. This is happening on devices that are supposed to be doing 802.1x and MAB authentication, if we put the command “authentication open” back onto the port it showed connected and mac address. Now we have over 1000 switches on the network with this command removed and so far have only ran into a couple of these odd ball problem ports so at this time it is not happening widespread but would like to take care of the issue or figure out why this happening before it does.

  On the 2960's we are running 12.2(55)SE5, on the 6500's we are running 15.1(1)SY
  We didn't use any kind of ACL because we start all of our switch ports into a black hole vlan. I have been watching sessions from Cisco Live 2012 and looks like Cisco is now recommending that you don't go closed mode unless absolutely necessary because it is hard to maintain and function.

• ACS 5.4 with DACL over wireless and wired network

  Hi my name is Ivan, I have a question
  I have a deployment in my network wired at this way:
  Profile 1: corporate's users are working with 802.1X to authenticate computers and users with eap peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to the Active Directory.
  Profile 2: Telephonies IP authenticate with MAB. All the Mac Address are registered in to the ACS locally.
  Profile 3: user guest authenticate with portal web from Cisco Wireless Lan Controller over the wired network, and the account exist in to the WLC Lobby Ambassador
  A my deployment in the wireless network is in this way:
  Flex Connect with central authentication and local switching to connect 15 sites over the wan network.
  SSID 1: users corporate working with 802.1X to authenticate users with peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to Active Directory.
  SSID 2: users guest working with portal web from Cisco Wireless Lan Controller over the wireless network, and the account exist in to the WLC Lobby Ambassador.
  I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.
  How can I do it to my scenary?
  Please could you help me?
  Regards
  Ivan.

  Hello. To avoid confusion, let's divide the WLC based upon the operating system.
  There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.
  There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).
  IOS-XE fully support DACL. On the other hand AirOS support DACL partially.
  From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because  you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.
  On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.
  It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.
  Best regards

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• 802.1X Port Based Authentication Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I believe , you need to configure re-authentication on this switch port:
  ! Enable re-authentication
  authentication periodic
  ! Enable re-authentication via RADIUS Session-Timeout
  authentication timer reauthenticate server