08-08-2006 08:27 PM - edited 03-10-2019 02:42 PM
Hi,
Im trying dot1x with critical authentication plus MAC authentication bypass,
on Cat2960 with SEE2.
Its onfigration is the following;
aaa new-model
aaa authentication login cisco local
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
dot1x system-auth-control
dot1x critical eapol
!
interface GigabitEthernet0/11
switchport access vlan 101
switchport mode access
dot1x mac-auth-bypass
dot1x critical
dot1x critical recovery action reinitialize
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
!
radius-server dead-criteria time 5
radius-server attribute 32 include-in-access-req format %h
no radius-server attribute nas-port
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 test username TEST idle-time 1
radius-server source-ports 1645-1646
radius-server key Cisco(%$%
radius-server vsa send accounting
!
When RADIUS server is down after a client is authenticated and the 2 commands,
dot1x re-authenticate int and dot1x initialize int are issued,
it does not change to critical auth state, remaining authorized by server with
dot1x re-authenticate command.
This result is correct?
CCO says,
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/sw8021x.htm#wp1194433
If the port is already authorized and re-authentication occurs, the switch puts
the critical port in the critical-authentication state in the current VLAN,
which might be the one previously assigned by the RADIUS server.
Please give me any help.
Thanks,
08-08-2006 08:37 PM
Here is a debug on dot1x re-authenticate;
C2960#sh dot1x int g0/11 d
Dot1x Info for GigabitEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 1
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Critical-Auth = Enabled
Critical Recovery Action = Reinitialize
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0000.3926.0384
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
Vlan Policy = N/A
C2960#dot1x re
C2960#dot1x re-authenticate int g0/11
C2960#
Aug 8 00:47:42: dot1x-ev:dot1x_exec_reauth_interface: Reauthenticating Authenticator instances on GigabitEthernet0/11
Aug 8 00:47:42: dot1x-ev:Sending create new context event to EAP for 0000.3926.0384
Aug 8 00:47:43: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.3926.0384
Aug 8 00:47:43: dot1x-ev:No reply attributes received from AAA for 0000.3926.0384
Aug 8 00:47:43: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, retaining existing authorization on port GigabitEthernet0/11
Aug 8 00:47:43: dot1x-ev:dot1x_switch_addr_add: Host access entry already exists for 0000.3926.0384 101
Aug 8 00:47:43: dot1x-ev:dot1x_switch_addr_add: Added MAC 0000.3926.0384 to vlan 101 on interface GigabitEthernet0/11
Aug 8 00:47:43: dot1x-ev:Received successful Authz complete for 0000.3926.0384
Aug 8 00:47:43: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address
Aug 8 00:47:43: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.
Aug 8 00:47:43: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11
C2960#
C2960#sh dot1x int g0/11 d
Dot1x Info for GigabitEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 1
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Critical-Auth = Enabled
Critical Recovery Action = Reinitialize
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0000.3926.0384
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
Vlan Policy = N/A
C2960#
08-08-2006 08:42 PM
Debug on dot1x initialize;
C2960#dot1x initialize int g0/11
Aug 8 00:50:00: dot1x-ev:dot1x_exec_init_interface: Initializing Authenticator instances on GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:00: dot1x-ev:vlan 101 vp is removed on the interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 0000.3926.0384 from vlan 101 on interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_vlan_assign_client_deleted on interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
Aug 8 00:50:00: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
Aug 8 00:50:00: dot1x-ev:Created a default authenticator instance on GigabitEthernet0/11
Aug 8 00:50:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down
Aug 8 00:50:01: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:No reply attributes received from AAA for 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, authenticating port GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:dot1x_switch_critical_vlan_policy: No Critical Auth VLAN defined for
port GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:Updating feature config
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:01: dot1x-ev:vlan 101 vp is added on the interface GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:Received successful Authz complete for 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address
Aug 8 00:50:01: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.
Aug 8 00:50:01: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11
Aug 8 00:50:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up
C2960#
C2960#
C2960#sh dot1x int g0/11 d
Dot1x Info for GigabitEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 1
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Critical-Auth = Enabled
Critical Recovery Action = Reinitialize
Dot1x Authenticator Client List Empty
Port Status = AUTHORIZED
Authorized By = Critical-Auth
Operational HostMode = MULTI_HOST
Vlan Policy = N/A
C2960#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide