Cisco Support Community
Community Member

Inaccesible Bypass Authentication configuration on the switch floods the failed auth log on the Radius

Hi all,

i have a little problem and hope there is a solution.

We are currently deploying 802.1x on all of our switches and are currently in the "test" Phase where only the IT Department will use 802.1x.

In order to mititgate the problem when the Radius Server is not available for some reason, i configured Inaccessible Bypass Authentication on the Switch to achieve the "critical authentication state" when the Radius Server is not available (so that my users still can work).

So i configured on the switch that he should probe the Radius Server every 2 Minutes to see if it is still reachable.

I used the following command:

radius-server host <auth port> <acct-port> test username admin (local configured user on the switch) idle-timeout 2 key xxx

The configuration works like a charm.

The problem what i am experiecing is that this configuration floods my "failed attempts" log on the ACS 4.2 with an failed authentication every 2 Minutes, and this only for one switch. In den Final State i will have approx 200 Switches which would flood the Log every 2 Minutes with the failed attempts.

I wouldn't care about the logs, but the problem is the employees in the Support Center must review the failed authentication log when a user calls that he cannot authenticate successfully. This would greatly impact the efficiency of the Support personal as they have to browse tons of failed attempts from the switches probing until they find the right entry.

According to the documentation the switch sends every 2 Minutes an Access-Request with the configured username. If the Switch receives an access-reject from the radius it is marked as alive. I cannot configure a password for the user , and i cannot create a local user on the radius with a blank password. If this would work the messages would appear in the "passed Authentications" log, which would not be that bad, as the support Center primarly needs to browse the "failed attempts" log.

So my question is:

Is there a way to circumvent the problem with the flooding of the failed attempts log?

Your help would be greatly appreciated.

Thanks in advance

Kind regards,


CreatePlease to create content