I'm currently trying to setup a dot1x lab environment with a CS ACS 5.4. Now I have the following problem: I'd like to use the command "authentication event server dead action reinitialize vlan 180" if the radius server is dead. On my switch interface I'm using a default ACL for restricting the network access before authorization.
After Authorization the switch uses the donwloadable ACL from the CS ACS. But now if the ACS is not available, there is no ACL to download and the default ACL will block the traffic on the port. Is there any way to solve this issue?
Here my configuraitons.
interface GigabitEthernet1/0/2 description ACCESS switchport access vlan 180 switchport mode access ip access-group ACL_DEFAULT in authentication event fail action next-method authentication event server dead action authorize authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab no snmp trap link-status dot1x pae authenticator dot1x timeout tx-period 10 storm-control broadcast level 30.00 spanning-tree portfast spanning-tree bpduguard enable
Extended IP access list ACL_DEFAULT 10 permit udp any eq bootpc any eq bootps 20 permit udp any any eq domain 30 permit icmp any any 40 permit udp any any eq tftp 50 permit ip any host 10.10.10.10 60 deny ip any any
I'm configuring this on a catalyst 2960S, so I think I can't use this eem script. I need this ACL that the MAC Authentication Bypass triffic can be sent to the CS ACS. If I wouldn't configure this ACL, I think the client e.g. a printer won't be able to communicate with the CS ACS when using MAB. Is that correct or did I make a mistake?
The command authentication event fail action next-method would allow MAB through after 802.1x times out. Printers and other similar devices that don't support 802.1x will not respond to the EAPoL request and will timeout after the 3 times the configured 802.1x timeout timer runs out. In your situation that would be 30 seconds (3x10). In order to make sure that devices don't timeout on DHCP you can lower the timer to 7 seconds. So you should be good to go without the ACL. Give it a try :)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :