topic Authentication Open Failure in Network Access Control

Authentication Open Failure

Nicholas Copeland — Mon, 11 Mar 2019 02:40:49 GMT

Is there away to stop the port from reauthenticating when a device fails to open. I am trying to set up low-impact mode on a wired network. And I have some WYSE terminals that I don't want to authenticate to the network so I would like them to fail open with an ACL limiting their access. However the switch continues to try and authenticate the device even after it has failed authentication. This is causing my logs on ISE to be full of bogus authentication failures. Is there a way to limit thoses errors or the the switchport from trying to reauthenticate? Below is the switchport config.

switchport access vlan 33

switchport mode access

switchport voice vlan 233

ip access-group ACL-DEFAULT in

authentication event fail retry 1 action next-method

authentication event server dead action authorize vlan 33

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

Authentication Open Failure

kussriva — Tue, 16 Oct 2012 23:13:39 GMT

Hi Nicolas,

You can configure a Restricted VLAN using the command "authentication event fail action authorize vlan (number)" and limit the access for that vlan using ACLs.

You can refer to

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1179086 for more info.

HTH,

Regards,

Kush

Authentication Open Failure

Nicholas Copeland — Wed, 17 Oct 2012 13:51:44 GMT

Perfect. I thought that would fail it from trying to do MAB. But it still runs through the order and then fails back to the VLAN.