cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7971
Views
5
Helpful
6
Replies

802.1x Critical Authentication feature 12.2(25)SEE

magurwara
Level 1
Level 1

The critical authentication feature does not seem to work. Port does not move to authorized state if RADIUS (ACS) server is not available. In fact, it even seems to break the Authentication Fail VLAN functionality.

If RADIUS server is not available and user/machine tries to authenticate, the port fails authentication and remains in unauthorized state and does not even move to AuthFail VLAN.

Any ideas?

6 Replies 6

jafrazie
Cisco Employee
Cisco Employee

What's the configuration of your switch?

dot1x and aaa related switch configuration follows:

Global Config:

aaa new-model

aaa group server radius acsrad

server A.B.C.D auth-port 1645 acct-port 1646

server W.X.Y.Z auth-port 1645 acct-port 1646

!

aaa group server tacacs+ acstac

server A.B.C.D

server W.X.Y.Z

aaa authentication login default group acstac local

aaa authentication dot1x default group acsrad

aaa authorization exec default group acstac if-authenticated

aaa authorization network default group acsrad if-authenticated

aaa accounting update periodic 5

aaa nas port extended

!

aaa session-id common

tacacs-server host A.B.C.D key 7 XXXXXXXXXXX

tacacs-server host W.X.Y.Z key 7 XXXXXXXXX

tacacs-server directed-request

radius-server dead-criteria time 5 tries 2

radius-server host A.B.C.D auth-port 1645 acct-port 1646 test username XXXX idle-time 1 key 7 XXXXXXXXXX

radius-server host W.X.Y.Z auth-port 1645 acct-port 1646 test username XXXX idle-time 1 key 7 XXXXXXXXXXXX

radius-server source-ports 1645-1646

radius-server deadtime 1

radius-server vsa send authentication

dot1x system-auth-control

dot1x critical recovery delay 2000

dot1x critical eapol

Interface configuration:

switchport access vlan x1

switchport mode access

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 30

dot1x timeout server-timeout 5

dot1x reauthentication

dot1x guest-vlan x2

dot1x auth-fail vlan x2

dot1x critical vlan 101

arp timeout 60

spanning-tree portfast

================================

I have tried making the critical vlan to be the same as the access vlan as well as the Auth-Fail vlan but the results are same.

You're missing "dot1x critical" on the port (it's a separate command from the VLAN definition).

Hope this helps,

onur.sezen
Level 1
Level 1

Hello,

I also have the same problem. When raidus servers are dead, client is not assigned to critical vlan. it is treated authentication failed and then assigned to auth-fail vlan.

where I am doing the mistake? 

here the config,

radius-server host 172.16.1.220 auth-port 1645 acct-port 1646 test username qawsed idle-time 1 key xxx

radius-server host 172.16.1.221 auth-port 1645 acct-port 1646 test username qawsed idle-time 1 key xxx

radius-server source-ports 1645-1646

radius-server deadtime 30

radius-server dead-criteria time 5 tries 2

dot1x system-auth-control

dot1x critical recovery delay 2000

dot1x critical eapol

aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius local

aaa authorization configuration default group radius

interface GigabitEthernet0/1

switchport access vlan 140

switchport mode access

dot1x critical

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 10

dot1x guest-vlan 140

dot1x auth-fail vlan 140

dot1x auth-fail max-attempts 2

dot1x critical vlan 150

spanning-tree portfast

aaa authentication dot1x default group radius local

aaa authorization network default group radius local

aaa authorization configuration default group radius

You must change this configuration as below :

aaa authentication dot1x default group radius

aaa authorization network default group radius if-authenticated

aaa authorization configuration default group radius

Hope this helps,

OMG it is working thanks alot

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: