https://community.cisco.com/t5/network-access-control/dot1x-server-dead-if-client-is-unknown/m-p/1747506#M223622 <P>Hi there</P><P></P><P><STRONG>Situation</STRONG></P><P></P><P>I configured dot1x with ACS 5.2 on a WS-C3750X-24P (12.2(58)SE1). I configured EAP-TLS and MAB for a port with the following configurations. It looks like this: access port -&gt; ip phone -&gt; client</P><P></P><P><STRONG>General Configuration</STRONG></P><P></P><P> switchport access vlan 1421</P><P> switchport mode access</P><P> authentication event fail action authorize vlan 2329</P><P> authentication event server dead action authorize vlan 2329</P><P> authentication event no-response action authorize vlan 2329</P><P> authentication event server alive action reinitialize </P><P> authentication port-control auto</P><P> authentication periodic</P><P> authentication timer reauthenticate server</P><P> authentication violation protect</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 5</P><P> spanning-tree portfast</P><P> spanning-tree bpduguard enable</P><P></P><P><STRONG style="border-collapse: collapse;">Port Configuration</STRONG></P><P></P><P> switchport access vlan x</P><P> switchport mode access</P><P> authentication event fail action authorize vlan 2329</P><P> authentication event server dead action authorize vlan 2329</P><P> authentication event no-response action authorize vlan 2329</P><P> authentication event server alive action reinitialize </P><P> authentication port-control auto</P><P> authentication periodic</P><P> authentication timer reauthenticate server</P><P> authentication violation protect</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 5</P><P> spanning-tree portfast</P><P> spanning-tree bpduguard enable</P><P></P><P><SPAN style="border-collapse: collapse;"><STRONG>Problem</STRONG></SPAN></P><P></P><P>If there is a know client (either client certificates installed or MAC address configured on ACS 5.2), everything works fine. As soon as a unknown client connects, the radius servers are marked as dead. As soon as this happens, the know clients fail to connect too:</P><P></P><P>Oct 18 14:52:57.013 METDST: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:57.013 METDST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:57.013 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:58.044 METDST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:58.044 METDST: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:57.633 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)</P><P>Oct 18 14:52:57.642 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)</P><P>Oct 18 14:52:57.709 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)</P><P>Oct 18 14:52:58.967 METDST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up</P><P>Oct 18 14:52:59.974 METDST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up</P><P>Oct 18 14:53:04.218 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID 0A00050B0000001E19DB9EE8</P><P>Oct 18 14:53:04.218 METDST: %DOT1X-5-FAIL: Authentication failed for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx</P><P>Oct 18 14:53:04.218 METDST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (0023.7d10.9a6f) on Interface Gi4/0/3 AuditSessionID xxx</P><P>Oct 18 14:53:05.250 METDST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx</P><P>Oct 18 14:53:05.250 METDST: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx</P><P></P><P>Does anybody know if I configured something wrong (see config above) or if there is a bug?</P><P></P><P>Thanks a lot and best regards</P><P>Dominic</P> Mon, 11 Mar 2019 01:29:22 GMT Dominic Stalder (old profile) 2019-03-11T01:29:22Z https://community.cisco.com/t5/network-access-control/dot1x-server-dead-if-client-is-unknown/m-p/1747506#M223622 <P>Hi there</P><P></P><P><STRONG>Situation</STRONG></P><P></P><P>I configured dot1x with ACS 5.2 on a WS-C3750X-24P (12.2(58)SE1). I configured EAP-TLS and MAB for a port with the following configurations. It looks like this: access port -&gt; ip phone -&gt; client</P><P></P><P><STRONG>General Configuration</STRONG></P><P></P><P> switchport access vlan 1421</P><P> switchport mode access</P><P> authentication event fail action authorize vlan 2329</P><P> authentication event server dead action authorize vlan 2329</P><P> authentication event no-response action authorize vlan 2329</P><P> authentication event server alive action reinitialize </P><P> authentication port-control auto</P><P> authentication periodic</P><P> authentication timer reauthenticate server</P><P> authentication violation protect</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 5</P><P> spanning-tree portfast</P><P> spanning-tree bpduguard enable</P><P></P><P><STRONG style="border-collapse: collapse;">Port Configuration</STRONG></P><P></P><P> switchport access vlan x</P><P> switchport mode access</P><P> authentication event fail action authorize vlan 2329</P><P> authentication event server dead action authorize vlan 2329</P><P> authentication event no-response action authorize vlan 2329</P><P> authentication event server alive action reinitialize </P><P> authentication port-control auto</P><P> authentication periodic</P><P> authentication timer reauthenticate server</P><P> authentication violation protect</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 5</P><P> spanning-tree portfast</P><P> spanning-tree bpduguard enable</P><P></P><P><SPAN style="border-collapse: collapse;"><STRONG>Problem</STRONG></SPAN></P><P></P><P>If there is a know client (either client certificates installed or MAC address configured on ACS 5.2), everything works fine. As soon as a unknown client connects, the radius servers are marked as dead. As soon as this happens, the know clients fail to connect too:</P><P></P><P>Oct 18 14:52:57.013 METDST: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:57.013 METDST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:57.013 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:58.044 METDST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:58.044 METDST: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx</P><P>Oct 18 14:52:57.633 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)</P><P>Oct 18 14:52:57.642 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)</P><P>Oct 18 14:52:57.709 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)</P><P>Oct 18 14:52:58.967 METDST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up</P><P>Oct 18 14:52:59.974 METDST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up</P><P>Oct 18 14:53:04.218 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID 0A00050B0000001E19DB9EE8</P><P>Oct 18 14:53:04.218 METDST: %DOT1X-5-FAIL: Authentication failed for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx</P><P>Oct 18 14:53:04.218 METDST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (0023.7d10.9a6f) on Interface Gi4/0/3 AuditSessionID xxx</P><P>Oct 18 14:53:05.250 METDST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx</P><P>Oct 18 14:53:05.250 METDST: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx</P><P></P><P>Does anybody know if I configured something wrong (see config above) or if there is a bug?</P><P></P><P>Thanks a lot and best regards</P><P>Dominic</P> Mon, 11 Mar 2019 01:29:22 GMT https://community.cisco.com/t5/network-access-control/dot1x-server-dead-if-client-is-unknown/m-p/1747506#M223622 Dominic Stalder (old profile) 2019-03-11T01:29:22Z https://community.cisco.com/t5/network-access-control/dot1x-server-dead-if-client-is-unknown/m-p/1747507#M223624 <HTML><HEAD></HEAD><BODY><P>I found the problem, the ACS configuration was wrong, I wrongly configured "If user not found" to Drop instead of Reject.</P><P></P><P>Best regards</P><P>Dominic</P></BODY></HTML> Wed, 26 Oct 2011 08:46:34 GMT https://community.cisco.com/t5/network-access-control/dot1x-server-dead-if-client-is-unknown/m-p/1747507#M223624 Dominic Stalder (old profile) 2011-10-26T08:46:34Z