https://community.cisco.com/t5/network-access-control/802-1x-fail-no-response-vs-dead-event/m-p/5271099#M595467 <P>I don't use IBNS 1.0 anymore - but here is my understanding of it. First of all, let's make sure we agree on what each <EM>event</EM> means:</P> <P><SPAN>The two events below relate to the endpoint's response to EAPOL frames</SPAN></P> <OL> <LI><SPAN>authentication event <STRONG>fail</STRONG> - there was EAPOL traffic, but RADIUS server replied with EAP FAIL</SPAN></LI> <LI><SPAN>authentication event <STRONG>no-response</STRONG> - the endpoint did not engage in any EAPOL conversation (no supplicant)</SPAN></LI> </OL> <P><SPAN>The two events below relate to the RADIUS server group</SPAN></P> <OL> <LI><SPAN>authentication event <STRONG>server dead</STRONG> - none of the servers in the aaa group replied</SPAN></LI> <LI><SPAN>authentication event <STRONG>server alive</STRONG> - at least one of the servers in the aaa group is responding again</SPAN></LI> </OL> <P><SPAN>If your endpoints are always triggering the first two events, then check the ISE Live Logs for clues - it appears that either the supplicant is not playing the game, or ISE is not handling the 802.1X correctly - either way, the switch concluded that 802.1X did not end in EAP Success.</SPAN></P> <P><SPAN>In the event of server dead, there is one IOS global command that you must also configure on all switches, to allow the switch to send EAP Success to endpoints to "fake" a success on behalf of the unavailable RADIUS server:</SPAN></P> <LI-CODE lang="markup">dot1x critical eapol</LI-CODE> <P>A good reference is <A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">this Cisco Guide</A> that talks in more detail about IBNS 1.0 and IBNS 2.0</P> <P>&nbsp;Regarding: "<SPAN><EM>Another question: the devices only ask once the credentials (I am testing without certificates atm). Would be possible to be asked twice in case the radius server returns a fail event</EM> ?" - if you were using Machine Authentication (for AD Domain Joined endpoints) then this would happen automatically and no user input required. But it sounds like you are doing user authentication - which&nbsp; BTW is not ideal for many reasons and in future will be disabled by Windows 11 (Credential Guard) - you can get around it but it's being discouraged for good reasons.&nbsp; I don't know how to make the Windows supplicant retry X number of times - there is no option in ISE to allow repeated attempts. An EAP fail is an EAP fail.&nbsp; I would recommend to use Machine Auth if your devices are domain joined. If not, then I would recommend certificate auth (EAP-TLS) or EAP-TEAP.</SPAN></P> Thu, 13 Mar 2025 21:50:29 GMT Arne Bier 2025-03-13T21:50:29Z https://community.cisco.com/t5/network-access-control/802-1x-fail-no-response-vs-dead-event/m-p/5270937#M595459 <P>Good afternoon everyone,</P><P>I am trying to configure 802.1x on my cisco 9300 sw 17.06.04.</P><P>Everything works ok but I can't make the server dead/alive critical event working together with the fail/no-response events.</P><P>My goal is to authorize devices on vlan 10, authorize fail or no-response devices on vlan 36 and to authorize device on vlan 10 in case of a critical situation where the aaa server are down.</P><P>Despite I have found several discussions describing exactly this scenario the fail or no-response events are always triggered (when configured) if the aaa servers are down.</P><P>Is my scenario possible or the fail and no-response events are not compatible with the server dead event ?</P><P>Another question: the devices only ask once the credentials (I am testing without certificates atm). Would be possible to be asked twice in case the radius server returns a fail event ?</P><P>Working configuration with only the critical condition:</P><P>switchport access vlan 10<BR />switchport mode access<BR />authentication control-direction in<BR />authentication event server dead action authorize<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-host<BR />authentication order dot1x<BR />authentication port-control auto<BR />authentication violation replace<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />dot1x max-req 1<BR />dot1x max-reauth-req 1<BR />spanning-tree portfast</P><P>In this configuration the Fail or no-response events triggers even if the servers are down:</P><P>switchport access vlan 10<BR />switchport mode access<BR />authentication event server dead action authorize<BR />authentication event fail retry 1 action authorize vlan 36<BR />authentication event no-response action authorize vlan 36<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-host<BR />authentication port-control auto<BR />authentication violation replace<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />dot1x max-req 1<BR />dot1x max-reauth-req 1<BR />spanning-tree portfast</P> Thu, 13 Mar 2025 15:45:34 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-no-response-vs-dead-event/m-p/5270937#M595459 ICTDAMICO 2025-03-13T15:45:34Z https://community.cisco.com/t5/network-access-control/802-1x-fail-no-response-vs-dead-event/m-p/5271099#M595467 <P>I don't use IBNS 1.0 anymore - but here is my understanding of it. First of all, let's make sure we agree on what each <EM>event</EM> means:</P> <P><SPAN>The two events below relate to the endpoint's response to EAPOL frames</SPAN></P> <OL> <LI><SPAN>authentication event <STRONG>fail</STRONG> - there was EAPOL traffic, but RADIUS server replied with EAP FAIL</SPAN></LI> <LI><SPAN>authentication event <STRONG>no-response</STRONG> - the endpoint did not engage in any EAPOL conversation (no supplicant)</SPAN></LI> </OL> <P><SPAN>The two events below relate to the RADIUS server group</SPAN></P> <OL> <LI><SPAN>authentication event <STRONG>server dead</STRONG> - none of the servers in the aaa group replied</SPAN></LI> <LI><SPAN>authentication event <STRONG>server alive</STRONG> - at least one of the servers in the aaa group is responding again</SPAN></LI> </OL> <P><SPAN>If your endpoints are always triggering the first two events, then check the ISE Live Logs for clues - it appears that either the supplicant is not playing the game, or ISE is not handling the 802.1X correctly - either way, the switch concluded that 802.1X did not end in EAP Success.</SPAN></P> <P><SPAN>In the event of server dead, there is one IOS global command that you must also configure on all switches, to allow the switch to send EAP Success to endpoints to "fake" a success on behalf of the unavailable RADIUS server:</SPAN></P> <LI-CODE lang="markup">dot1x critical eapol</LI-CODE> <P>A good reference is <A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">this Cisco Guide</A> that talks in more detail about IBNS 1.0 and IBNS 2.0</P> <P>&nbsp;Regarding: "<SPAN><EM>Another question: the devices only ask once the credentials (I am testing without certificates atm). Would be possible to be asked twice in case the radius server returns a fail event</EM> ?" - if you were using Machine Authentication (for AD Domain Joined endpoints) then this would happen automatically and no user input required. But it sounds like you are doing user authentication - which&nbsp; BTW is not ideal for many reasons and in future will be disabled by Windows 11 (Credential Guard) - you can get around it but it's being discouraged for good reasons.&nbsp; I don't know how to make the Windows supplicant retry X number of times - there is no option in ISE to allow repeated attempts. An EAP fail is an EAP fail.&nbsp; I would recommend to use Machine Auth if your devices are domain joined. If not, then I would recommend certificate auth (EAP-TLS) or EAP-TEAP.</SPAN></P> Thu, 13 Mar 2025 21:50:29 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-no-response-vs-dead-event/m-p/5271099#M595467 Arne Bier 2025-03-13T21:50:29Z