Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dot1x inaccessible authentication bypass auth-fail problem with 4510R-E Sup 6-E 12.2(54)SG

We have a problem with Catalyst 4510R-E, Sup 6-E, IOS 12.2(54)SG (same issue repeats with IOS 12.2(53) SG3 as well) do1x authentication when RADIS server is inaccessible. Switch port simple doesn’t go into auth-failed vlan, but stays in access vlan 40.

Same configuration with 3750 switch and IOS 12.2(55)SE works.

Below is the configuration of the switch:

aaa group server radius dot1x

server-private 10.200.1.27 key 7 1

server-private 10.200.1.26 key 7 1

ip vrf forwarding data

ip radius source-interface Vlan100

!

aaa authentication dot1x default group dot1x

aaa authorization network default none

interface GigabitEthernet1/48

description TEST DOT1X

switchport access vlan 40

switchport mode access

authentication event server dead action authorize vlan 240

authentication event server alive action reinitialize

authentication port-control auto

dot1x pae authenticator

dot1x timeout server-timeout 10

dot1x timeout tx-period 10

dot1x timeout start-period 20

spanning-tree portfast

interface Vlan40

ip vrf forwarding data

ip address 10.10.10.1 255.255.255.0

ip radius source-interface Vlan100 vrf data

radius-server dead-criteria time 3 tries 2

radius-server host 10.200.1.27 auth-port 1645 acct-port 1646 test username admin idle-time 1

radius-server host 10.200.1.26 auth-port 1645 acct-port 1646 test username admin idle-time 1

radius-server deadtime 3

dot1x system-auth-control

dot1x critical eapol

Does anyone have an idea what we could do to resolve this?

312
Views
0
Helpful
0
Replies
CreatePlease to create content