Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
2
Replies

Inaccesible Authentication Bypass Feature Wrong Behaviour - CAT2960

ramiro_ortiz
Level 1
Level 1

‎03-21-2006 06:12 AM - edited ‎03-10-2019 02:30 PM

I´m doing some tests with the new 802.1x authentication feaures in the CAT2960 switch and IOS firmware file 'c2960-lanbase-mz.122-25.SEE.bin'.

In particular, I´ve configured the 'Inaccesible Authentication Bypass' feature. What is wrong with it is that when the RADIUS server is not available I´m not redirected to the configured critical VLAN but to the default access VLAN configured in the port. I´ve checked out whether there´s some bug related but unsuccessfully.

The configuraction that I have is (summarized):

aaa new-model

aaa authentication dot1x default group radius none

aaa authorization network default group radius none

(..)

dot1x system-auth-control

dot1x critical recovery delay 2000

dot1x critical eapol

(..)

interface FastEthernet0/5

switchport mode access

dot1x critical

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period 60

dot1x reauthentication

dot1x guest-vlan 5

dot1x auth-fail vlan 3

dot1x auth-fail max-attempts 2

dot1x critical vlan 6

spanning-tree portfast

(..)

radius-server dead-criteria time 30 tries 20

radius-server host 10.0.1.20 auth-port 1812 acct-port 1813

radius-server source-ports 1645-1646

radius-server key xxx

(..)

Labels:
0 Helpful
2 Replies 2

thomas.chen
Level 6
Level 6

‎03-27-2006 07:14 AM

I think based on the command "aaa authentication dot1x default group radius none " in your configuration, if the radius server is unavailable, you are not undergone into any authentication check. So, all are permitted without any authentication or authorization check.

Can you recheck this command to suit your requirement?.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee

‎03-28-2006 09:49 AM

The only thing I see that's missing is part of the radius-server definition:

It should look soemthing like:

radius-server host 10.0.1.20 auth-port 1812 acct-port 1813 [username blah key blah]

B/c you only have one RADIUS server defined, you need this test option test if the radius-server deadtime is not configured or not operational, b/c the dead-time is zero with only one server defined.

But the test option above should send a probe request to RADIUS before blindly considering it alive again.

End result, you SHOULD see something like this based on the rest of your config:

Switch#sho dot1x int f0/5 details

Dot1x Authenticator Client List

-------------------------------

Supplicant = blah.blah.blah

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

Authentication Method = Dot1x

Authorized By = Critical-Auth

Operational HostMode = MULTI_HOST

Vlan Policy = 6

Hope this helps,

0 Helpful
Customers Also Viewed These Support Documents