u/brightkills

Hi all ladies and gentlemen!

I have a trouble with my Cisco Catalyst 9200. We have a RADIUS server (FreeRADIUS) in our corp LAN. Authenticating PCs is going good but troubles with voice VLAN. I am trying to use MAB for authenticating SIP devices. "files" in authorize section of "default" tunnel is also present. Cisco port configuration:

interface GigabitEthernet3/0/20
 description LAN_MAIN
 switchport access vlan 422
 switchport mode access
 switchport voice vlan 1902
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
end

/etc/freeradius/3.0/users (xxxx.yyyy.zzzz is a MAC-address):

xxxx.yyyy.zzzz Auth-Type := Accept

PC connected to PC port of SIP phone, LAN connected to Internet port. After SIP phone startup i have a security violation on Cisco port in log and port shutdown:

Apr 25 14:37:42.879: %PM-4-ERR_DISABLE: security-violation error detected on Gi3/0/20, putting Gi3/0/20 in err-disable state
Apr 25 14:37:42.898: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet3/0/20, new MAC address (xxxx.yyyy.zzzz) is seen.AuditSessionID lg|g|H0o]^K^X_#
Apr 25 14:37:43.882: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/20, changed state to down
Apr 25 14:37:44.881: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/20, changed state to down

So what am i doing wrong?