topic Refer. the Auth fail config. in Network Access Control

Cisco ISE - Reauthentication of client if server becomes alive again

Wissam Bteich — Mon, 11 Mar 2019 02:45:50 GMT

Dears,

I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.

I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).

The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.

Below is the switch port configuration:

interface FastEthernet0/5

switchport access vlan 240

switchport mode access

switchport voice vlan 156

authentication event server dead action authorize vlan 240

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

Anyone can help?

Regards,

Did you get a fix for this?

mlovellette — Wed, 28 May 2014 05:00:30 GMT

Did you get a fix for this? I am running into the same issue running 12.2(55)SE9.

Refer. the Auth fail config.

Saurav Lodh — Wed, 28 May 2014 09:50:00 GMT

Refer. the Auth fail config. ,, while Radius is down ,

https://supportforums.cisco.com/discussion/9994111/8021x-critical-authentication-feature-12225see

Please check whether the

mohanak — Mon, 02 Jun 2014 11:01:26 GMT

Please check whether the switch is dropping the connection or the server.

Symptoms or Issue

802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.

Conditions

This applies to user sessions that have logged in successfully and are then being terminated by the switch.

Possible Causes

•The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.

•The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.

•Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.

Resolution

•Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.

•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.

•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send accounting

radius-server vsa send authentication

Just noticed your config has

Stephen McBride — Mon, 02 Jun 2014 22:15:44 GMT

Just noticed your config has "authentication priority mab"

Try "authentication priority dot1x mab"

Not 100% but I would suggest this could be your problem

what is switch model and

Venkatesh Attuluri — Wed, 04 Jun 2014 17:17:07 GMT

what is switch model and software version