https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3095414#M25404 <P>I am building a&nbsp;dot1x configuration for my switches. &nbsp;I am using the new-style (authentication display config-mode). &nbsp;I have built the configuration to work correctly for MAB and dot1x authenticates successfully. &nbsp;I am at the point of creating the configuration to handle the exceptions. &nbsp;Currently I am focused on if the AAA server is down.</P> <P></P> <P>So does any have any sample configurations on how to fail open when the AAA server is down? &nbsp;Possibly try retry authentication after a period of time.</P> <P></P> <P>The current configuration is below. &nbsp;My (failed) attempts to included proper handling of the AAA being down are included.</P> <P></P> <P>class-map type control subscriber match-all DOT1X_NO_RESP<BR /> match method dot1x<BR /> match result-type method dot1x agent-not-found<BR />class-map type control subscriber match-all MAB_FAILED<BR /> match method mab<BR /> match result-type method mab authoritative<BR />class-map type control subscriber match-all SERVER_DOWN<BR /> match result-type aaa-timeout<BR />class-map type control subscriber match-all dot1x_FAILED_PASSWORD<BR /> match method dot1x<BR /> match result-type authoritative</P> <P></P> <P>policy-map type control subscriber user_default<BR /> event session-started match-all<BR /> 10 class always do-until-failure<BR /> 10 authenticate using dot1x priority 10<BR /> 20 authenticate using mab priority 20<BR /> event authentication-failure match-first<BR /> 10 class SERVER_DOWN do-until-failure<BR /> 10 authorize<BR /> 20 class MAB_FAILED do-until-failure<BR /> 10 terminate mab<BR /> 20 activate service-template null_vlan<BR /> 30 authentication-restart 60<BR /> 30 class always do-until-failure<BR /> 10 terminate dot1x<BR /> 20 terminate mab<BR /> 30 activate service-template null_vlan<BR /> 40 authentication-restart 60<BR /> event agent-found match-all<BR /> 10 class always do-until-failure<BR /> 10 terminate mab<BR /> 20 authenticate using dot1x priority 10<BR /> event timer-expiry match-all<BR /> 10 class SERVER_DOWN do-until-failure<BR /> 10 authorize<BR /> event absolute-timeout match-all<BR /> 10 class SERVER_DOWN do-until-failure<BR /> 10 authorize</P> Mon, 11 Mar 2019 07:56:56 GMT rmeans 2019-03-11T07:56:56Z https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3095414#M25404 <P>I am building a&nbsp;dot1x configuration for my switches. &nbsp;I am using the new-style (authentication display config-mode). &nbsp;I have built the configuration to work correctly for MAB and dot1x authenticates successfully. &nbsp;I am at the point of creating the configuration to handle the exceptions. &nbsp;Currently I am focused on if the AAA server is down.</P> <P></P> <P>So does any have any sample configurations on how to fail open when the AAA server is down? &nbsp;Possibly try retry authentication after a period of time.</P> <P></P> <P>The current configuration is below. &nbsp;My (failed) attempts to included proper handling of the AAA being down are included.</P> <P></P> <P>class-map type control subscriber match-all DOT1X_NO_RESP<BR /> match method dot1x<BR /> match result-type method dot1x agent-not-found<BR />class-map type control subscriber match-all MAB_FAILED<BR /> match method mab<BR /> match result-type method mab authoritative<BR />class-map type control subscriber match-all SERVER_DOWN<BR /> match result-type aaa-timeout<BR />class-map type control subscriber match-all dot1x_FAILED_PASSWORD<BR /> match method dot1x<BR /> match result-type authoritative</P> <P></P> <P>policy-map type control subscriber user_default<BR /> event session-started match-all<BR /> 10 class always do-until-failure<BR /> 10 authenticate using dot1x priority 10<BR /> 20 authenticate using mab priority 20<BR /> event authentication-failure match-first<BR /> 10 class SERVER_DOWN do-until-failure<BR /> 10 authorize<BR /> 20 class MAB_FAILED do-until-failure<BR /> 10 terminate mab<BR /> 20 activate service-template null_vlan<BR /> 30 authentication-restart 60<BR /> 30 class always do-until-failure<BR /> 10 terminate dot1x<BR /> 20 terminate mab<BR /> 30 activate service-template null_vlan<BR /> 40 authentication-restart 60<BR /> event agent-found match-all<BR /> 10 class always do-until-failure<BR /> 10 terminate mab<BR /> 20 authenticate using dot1x priority 10<BR /> event timer-expiry match-all<BR /> 10 class SERVER_DOWN do-until-failure<BR /> 10 authorize<BR /> event absolute-timeout match-all<BR /> 10 class SERVER_DOWN do-until-failure<BR /> 10 authorize</P> Mon, 11 Mar 2019 07:56:56 GMT https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3095414#M25404 rmeans 2019-03-11T07:56:56Z https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3358131#M25405 <P>you can refer to the guide documented here:</P> <P><A href="https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html" target="_blank">https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html</A></P> <P>&nbsp;</P> <DIV class=" pBodyIndentCMT">it has sample configs and descriptions to reauth mab and dot1x automatically if radius is unreachable</DIV> Fri, 30 Mar 2018 16:05:55 GMT https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3358131#M25405 Sandeep Ramakrishnan 2018-03-30T16:05:55Z https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3774447#M25406 <P>Is there a newer version of the guide for ISE 2.x? I realize most things will be the same, but I'm curious if there are any differences.&nbsp;</P> Mon, 07 Jan 2019 21:19:48 GMT https://community.cisco.com/t5/network-access-control/ibns-2-0-and-switch-configuration/m-p/3774447#M25406 Michael Thornton 2019-01-07T21:19:48Z