Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1597
Views
5
Helpful
6
Replies

Radius Inaccessible Authentication Bypass

gilou_1973
Level 1
Level 1

‎09-23-2009 06:28 AM - edited ‎03-10-2019 04:41 PM

Hello,

I'd like to know if it's possible to implement a such mechanism on a Cisco 2950 platform.

I'd like to avoid that my clients ports are unauthorized in case of a failure of my radius servers. Is there a way to implement it on a 2950G.

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎09-24-2009 01:03 PM

gildas

Would I be correct to assume that you have your 2950G configured with a backup authentication method if the Radius server is not available and that your issue is what to do about authorization?

I have not done this on a 2950G and can not know that it works, but this solution generally works in IOS and I assume that it will work on your 2950G:

aaa authorization exec default group radius if-authenticated

Give it a try and let us know if it works.

HTH

Rick

HTH

Rick
0 Helpful

gilou_1973
Level 1
Level 1
In response to Richard Burts

‎09-28-2009 10:18 PM

Hi Rick,

Thanks for your answer but what I mean is the following.

I've implemented the dot1x port control on my switchs and I'd like to bypass this security if my radius server is considered down or unreachable by the authenticator.

I know that it's possible on a catalyst 4500 and is known as "Configuring a port as a critical port in order to enable the Inaccessible Authentication Bypass feature".

I hope that my explanation is clearer and that I don't mistake

Thanks

0 Helpful

sdfgdfgfddfdfgdf
Level 1
Level 1
In response to gilou_1973

‎02-12-2019 03:29 AM

Old thread I know, but I have the same issue currently:

 

There doesn't appear to be any kind of option like critical ports, or , or a workaround.

I have tried setting the fail and guest vlans on the ports, but these only work when the radius server is accessible.

Without the radius server being alive, no ports can be authenticated or failed open.

 

Greatful if anyone know of a way to deal with this, or if there is another command I am unaware of.

0 Helpful

Rob Ingram
VIP
VIP
In response to sdfgdfgfddfdfgdf

‎02-12-2019 02:02 PM

Hi,

These commands entered under the interface should authorize the connection in the event the RADIUS server is down/dead:-

Switch(config-if)# authentication event server dead action reinitialize vlan 20
Switch(config-if)# authentication event server dead action authorize voice
 
Reference here.
 
HTH
0 Helpful

sdfgdfgfddfdfgdf
Level 1
Level 1
In response to Rob Ingram

‎02-13-2019 12:46 AM

Hi and thanks for taking the time to look at this and respond.

 

Unfortunately, that reference is for ios 15, and those commands are not available in ios 12.1(22)EA13

The catalyst 2950 is not supported above 12.1

 

I don't know if there is anything helpful in 12.1(22)EA14, but as it's an EOL switch I sadly can't find a download.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to sdfgdfgfddfdfgdf

‎02-16-2019 04:09 PM

IEEE 802.1x inaccessible authentication bypass appears needing a minimal IOS release of 12.2(25)SED or 12.2(25)SEE, per Release Notes for the Catalyst 3750, 3560, 2960-S, and 2960 Switches, Cisco IOS Release 12.2(58)SE1 and Later 

Customers Also Viewed These Support Documents