Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Fallback to local vlan if radius server dead

Hi

 

I'm currently trying to setup a dot1x lab environment with a CS ACS 5.4. Now I have the following problem: I'd like to use the command "authentication event server dead action reinitialize vlan 180" if the radius server is dead. On my switch interface I'm using a default ACL for restricting the network access before authorization.

After Authorization the switch uses the donwloadable ACL from the CS ACS. But now if the ACS is not available, there is no ACL to download and the default ACL will block the traffic on the port. Is there any way to solve this issue?

Here my configuraitons.

Port:

interface GigabitEthernet1/0/2
 description ACCESS
 switchport access vlan 180
 switchport mode access
 ip access-group ACL_DEFAULT in
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 10
 storm-control broadcast level 30.00
 spanning-tree portfast
 spanning-tree bpduguard enable

 

ACL:

Extended IP access list ACL_DEFAULT
    10 permit udp any eq bootpc any eq bootps
    20 permit udp any any eq domain
    30 permit icmp any any
    40 permit udp any any eq tftp
    50 permit ip any host 10.10.10.10
    60 deny ip any any

 

Everyone's tags (1)
3 REPLIES
Cisco Employee

If you are using 3k/4k/6k

If you are using 3k/4k/6k family switch you can accomplish this via an eem script. Here is a good example from Cisco Live:

event manager applet default-acl-fallback
 event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended ACL-DEFAULT"
 action 3.0 cli command "1 permit ip any any"
 action 4.0 cli command "end"
!
event manager applet default-acl-recovery event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended ACL-DEFAULT"
 action 3.0 cli command "no 1 permit ip any any"
 action 4.0 cli command "end"

Btw, why do you need the pre-auth ACL?  If you are running in "closed" mode not traffic outside of EAPoL is allowed on the port until successful authentication.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

HiI'm configuring this on a

Hi

I'm configuring this on a catalyst 2960S, so I think I can't use this eem script. I need this ACL that the MAC Authentication Bypass triffic can be sent to the CS ACS. If I wouldn't configure this ACL, I think the client e.g. a printer won't be able to communicate with the CS ACS when using MAB. Is that correct or did I make a mistake?

Any other hint?

Cisco Employee

The command authentication

The command authentication event fail action next-method would allow MAB through after 802.1x times out. Printers and other similar devices that don't support 802.1x will not respond to the EAPoL request and will timeout after the 3 times the configured 802.1x timeout timer runs out. In your situation that would be 30 seconds (3x10). In order to make sure that devices don't timeout on DHCP you can lower the timer to 7 seconds. So you should be good to go without the ACL. Give it a try :)

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
217
Views
0
Helpful
3
Replies
CreatePlease login to create content