https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544950#M427561 <HTML><HEAD></HEAD><BODY><P>The only thing I see that's missing is part of the radius-server definition:</P><P></P><P>It should look soemthing like:</P><P>radius-server host 10.0.1.20 auth-port 1812 acct-port 1813 [username blah key blah]</P><P></P><P>B/c you only have one RADIUS server defined, you need this test option test if the radius-server deadtime is not configured or not operational, b/c the dead-time is zero with only one server defined. </P><P> </P><P>But the test option above should send a probe request to RADIUS before blindly considering it alive again.</P><P></P><P>End result, you SHOULD see something like this based on the rest of your config:</P><P></P><P>Switch#sho dot1x int f0/5 details</P><P><SNIP></SNIP></P><P>Dot1x Authenticator Client List</P><P>-------------------------------</P><P>Supplicant = blah.blah.blah</P><P> Auth SM State = AUTHENTICATED</P><P> Auth BEND SM Stat = IDLE</P><P>Port Status = AUTHORIZED</P><P>Authentication Method = Dot1x</P><P>Authorized By = Critical-Auth</P><P> </P><P>Operational HostMode = MULTI_HOST</P><P>Vlan Policy = 6</P><P></P><P>Hope this helps,</P></BODY></HTML> Tue, 28 Mar 2006 17:49:53 GMT jafrazie 2006-03-28T17:49:53Z https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544948#M427557 <P>I´m doing some tests with the new 802.1x authentication feaures in the CAT2960 switch and IOS firmware file 'c2960-lanbase-mz.122-25.SEE.bin'. </P><P></P><P>In particular, I´ve configured the 'Inaccesible Authentication Bypass' feature. What is wrong with it is that when the RADIUS server is not available I´m not redirected to the configured critical VLAN but to the default access VLAN configured in the port. I´ve checked out whether there´s some bug related but unsuccessfully. </P><P></P><P>The configuraction that I have is (summarized): </P><P></P><P>aaa new-model</P><P>aaa authentication dot1x default group radius none</P><P>aaa authorization network default group radius none </P><P></P><P>(..)</P><P></P><P>dot1x system-auth-control</P><P>dot1x critical recovery delay 2000</P><P>dot1x critical eapol</P><P></P><P>(..)</P><P></P><P>interface FastEthernet0/5</P><P> switchport mode access</P><P> dot1x critical</P><P> dot1x critical recovery action reinitialize</P><P> dot1x pae authenticator</P><P> dot1x port-control auto</P><P> dot1x timeout reauth-period 60</P><P> dot1x reauthentication</P><P> dot1x guest-vlan 5</P><P> dot1x auth-fail vlan 3</P><P> dot1x auth-fail max-attempts 2</P><P> dot1x critical vlan 6</P><P> spanning-tree portfast</P><P> </P><P>(..)</P><P></P><P>radius-server dead-criteria time 30 tries 20</P><P>radius-server host 10.0.1.20 auth-port 1812 acct-port 1813</P><P>radius-server source-ports 1645-1646</P><P>radius-server key xxx</P><P></P><P>(..)</P><P></P><P></P><P></P> Sun, 10 Mar 2019 21:30:52 GMT https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544948#M427557 ramiro_ortiz 2019-03-10T21:30:52Z https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544949#M427559 <HTML><HEAD></HEAD><BODY><P>I think based on the command "aaa authentication dot1x default group radius none " in your configuration, if the radius server is unavailable, you are not undergone into any authentication check. So, all are permitted without any authentication or authorization check.</P><P></P><P>Can you recheck this command to suit your requirement?.</P></BODY></HTML> Mon, 27 Mar 2006 15:14:53 GMT https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544949#M427559 thomas.chen 2006-03-27T15:14:53Z https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544950#M427561 <HTML><HEAD></HEAD><BODY><P>The only thing I see that's missing is part of the radius-server definition:</P><P></P><P>It should look soemthing like:</P><P>radius-server host 10.0.1.20 auth-port 1812 acct-port 1813 [username blah key blah]</P><P></P><P>B/c you only have one RADIUS server defined, you need this test option test if the radius-server deadtime is not configured or not operational, b/c the dead-time is zero with only one server defined. </P><P> </P><P>But the test option above should send a probe request to RADIUS before blindly considering it alive again.</P><P></P><P>End result, you SHOULD see something like this based on the rest of your config:</P><P></P><P>Switch#sho dot1x int f0/5 details</P><P><SNIP></SNIP></P><P>Dot1x Authenticator Client List</P><P>-------------------------------</P><P>Supplicant = blah.blah.blah</P><P> Auth SM State = AUTHENTICATED</P><P> Auth BEND SM Stat = IDLE</P><P>Port Status = AUTHORIZED</P><P>Authentication Method = Dot1x</P><P>Authorized By = Critical-Auth</P><P> </P><P>Operational HostMode = MULTI_HOST</P><P>Vlan Policy = 6</P><P></P><P>Hope this helps,</P></BODY></HTML> Tue, 28 Mar 2006 17:49:53 GMT https://community.cisco.com/t5/network-access-control/inaccesible-authentication-bypass-feature-wrong-behaviour/m-p/544950#M427561 jafrazie 2006-03-28T17:49:53Z