Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x Critical Authentication feature 12.2(25)SEE

The critical authentication feature does not seem to work. Port does not move to authorized state if RADIUS (ACS) server is not available. In fact, it even seems to break the Authentication Fail VLAN functionality.

If RADIUS server is not available and user/machine tries to authenticate, the port fails authentication and remains in unauthorized state and does not even move to AuthFail VLAN.

Any ideas?

6 REPLIES
Cisco Employee

Re: 802.1x Critical Authentication feature 12.2(25)SEE

What's the configuration of your switch?

New Member

Re: 802.1x Critical Authentication feature 12.2(25)SEE

dot1x and aaa related switch configuration follows:

Global Config:

aaa new-model

aaa group server radius acsrad

server A.B.C.D auth-port 1645 acct-port 1646

server W.X.Y.Z auth-port 1645 acct-port 1646

!

aaa group server tacacs+ acstac

server A.B.C.D

server W.X.Y.Z

aaa authentication login default group acstac local

aaa authentication dot1x default group acsrad

aaa authorization exec default group acstac if-authenticated

aaa authorization network default group acsrad if-authenticated

aaa accounting update periodic 5

aaa nas port extended

!

aaa session-id common

tacacs-server host A.B.C.D key 7 XXXXXXXXXXX

tacacs-server host W.X.Y.Z key 7 XXXXXXXXX

tacacs-server directed-request

radius-server dead-criteria time 5 tries 2

radius-server host A.B.C.D auth-port 1645 acct-port 1646 test username XXXX idle-time 1 key 7 XXXXXXXXXX

radius-server host W.X.Y.Z auth-port 1645 acct-port 1646 test username XXXX idle-time 1 key 7 XXXXXXXXXXXX

radius-server source-ports 1645-1646

radius-server deadtime 1

radius-server vsa send authentication

dot1x system-auth-control

dot1x critical recovery delay 2000

dot1x critical eapol

Interface configuration:

switchport access vlan x1

switchport mode access

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 30

dot1x timeout server-timeout 5

dot1x reauthentication

dot1x guest-vlan x2

dot1x auth-fail vlan x2

dot1x critical vlan 101

arp timeout 60

spanning-tree portfast

================================

I have tried making the critical vlan to be the same as the access vlan as well as the Auth-Fail vlan but the results are same.

Cisco Employee

Re: 802.1x Critical Authentication feature 12.2(25)SEE

You're missing "dot1x critical" on the port (it's a separate command from the VLAN definition).

Hope this helps,

New Member

Re: 802.1x Critical Authentication feature 12.2(25)SEE

Hello,

I also have the same problem. When raidus servers are dead, client is not assigned to critical vlan. it is treated authentication failed and then assigned to auth-fail vlan.

where I am doing the mistake? 

here the config,

radius-server host 172.16.1.220 auth-port 1645 acct-port 1646 test username qawsed idle-time 1 key xxx

radius-server host 172.16.1.221 auth-port 1645 acct-port 1646 test username qawsed idle-time 1 key xxx

radius-server source-ports 1645-1646

radius-server deadtime 30

radius-server dead-criteria time 5 tries 2

dot1x system-auth-control

dot1x critical recovery delay 2000

dot1x critical eapol

aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius local

aaa authorization configuration default group radius

interface GigabitEthernet0/1

switchport access vlan 140

switchport mode access

dot1x critical

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 10

dot1x guest-vlan 140

dot1x auth-fail vlan 140

dot1x auth-fail max-attempts 2

dot1x critical vlan 150

spanning-tree portfast

New Member

802.1x Critical Authentication feature 12.2(25)SEE

aaa authentication dot1x default group radius local

aaa authorization network default group radius local

aaa authorization configuration default group radius

You must change this configuration as below :

aaa authentication dot1x default group radius

aaa authorization network default group radius if-authenticated

aaa authorization configuration default group radius

Hope this helps,

New Member

Re: 802.1x Critical Authentication feature 12.2(25)SEE

OMG it is working thanks alot

5342
Views
5
Helpful
6
Replies