https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/3374360#M73105 <P>HI,&nbsp;</P> <P>&nbsp;</P> <P>What would happen in this scenario.</P> <P>&nbsp;</P> <P>Access port configured into VLAN50 "<STRONG>switchport access vlan 50</STRONG>"&nbsp; but the radius server dead configuration "<STRONG class="cCN_CmdName">authentication event server dead action</STRONG><SPAN>&nbsp;<STRONG>vlan 10.&nbsp;&nbsp;</STRONG>Vlan 10 does not exist on the switch however, only vlan 50.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I've come across this config and it seemed to cause a problem, i'm just trying to find out why.&nbsp; This was the issue.&nbsp; ISE went unreachable&nbsp;from local switch.&nbsp; Only phones on the switch stayed authenticated.&nbsp; The PCs dropped off the network.</SPAN></P> <P>&nbsp;</P> <P><SPAN>When ISE came back up the PCs still didn't authenticate correctly.&nbsp; On ISE we saw the users as authenticated. But on the switchport, they were showing in an unknown state "show authentication sessions".&nbsp; Bouncing the port caused the users to re-authenticate, but still the port stayed in unknown state.&nbsp; The only work around was to remove the&nbsp;<STRONG class="cCN_CmdName">authentication event server dead action</STRONG>&nbsp;<STRONG>vlan 10 </STRONG>and then bounce the port.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>So I am trying to work out why this config may have caused this issue?&nbsp; Any ideas?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Apr 2018 09:08:29 GMT Stuart C 2018-04-27T09:08:29Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546202#M73092 <P>Hi,</P><P>Need help to understand "authentication event server dead " on interface configuration of the IOS.</P><P>I found this applies globally, I mean this condition is triggered if all radius servers are dead.</P><P>How if we want to make this condition for only one group of radius?</P><P>BR</P><P>Tomi</P> Mon, 11 Mar 2019 05:01:13 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546202#M73092 tomi.sirait 2019-03-11T05:01:13Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546203#M73094 <P>The command is used to configure action(s) that will be taken for ports configured for&nbsp;<STRONG>authentication&nbsp;</STRONG>in the event when all Radius servers become unavailable. For instance:</P><P><SPAN style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; line-height: normal;">authentication event server dead action authorize vlan 55</SPAN></P><P><SPAN style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; line-height: normal;">authentication event server alive action reinitialize&nbsp;</SPAN></P><P>With the above syntax, the configured port will be authorized/fail-open to VLAN 55 if/when the globally configured Radius servers become unavailable. Once the server(s) become available again all of the configured ports will be re-initialized, thus forcing them to perform regular dot1x/mab authentication.&nbsp;</P><P>The command is configured per-port and cannot be tied to a set of Radius servers. The radius servers used are configured under your global aaa commands.</P><P>Hope this helps</P><P>&nbsp;</P><P><EM>Thank you for rating helpful posts!</EM></P> Tue, 16 Sep 2014 00:36:32 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546203#M73094 nspasov 2014-09-16T00:36:32Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546204#M73098 <P>http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html#wp1274284</P><P>link explains the following command</P><P>authentication event server dead action {authorize | reinitialize} vlan vlan-id</P><P><BR />this is interface level&nbsp; command</P> Tue, 16 Sep 2014 11:24:47 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546204#M73098 Venkatesh Attuluri 2014-09-16T11:24:47Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546205#M73101 <P>hi Neno,</P> <P></P> <P>one small query here.</P> <P>now the command also gives &lt;cr&gt; on</P> <P><STRONG>authentication event server dead action authorize ?</STRONG></P> <P>so if i do not specify any VLAN what happens then???</P> <P>thanks,</P> <P>Nick</P> <P><STRONG></STRONG></P> Sun, 15 May 2016 08:23:04 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/2546205#M73101 niketan sutar 2016-05-15T08:23:04Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/3374360#M73105 <P>HI,&nbsp;</P> <P>&nbsp;</P> <P>What would happen in this scenario.</P> <P>&nbsp;</P> <P>Access port configured into VLAN50 "<STRONG>switchport access vlan 50</STRONG>"&nbsp; but the radius server dead configuration "<STRONG class="cCN_CmdName">authentication event server dead action</STRONG><SPAN>&nbsp;<STRONG>vlan 10.&nbsp;&nbsp;</STRONG>Vlan 10 does not exist on the switch however, only vlan 50.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I've come across this config and it seemed to cause a problem, i'm just trying to find out why.&nbsp; This was the issue.&nbsp; ISE went unreachable&nbsp;from local switch.&nbsp; Only phones on the switch stayed authenticated.&nbsp; The PCs dropped off the network.</SPAN></P> <P>&nbsp;</P> <P><SPAN>When ISE came back up the PCs still didn't authenticate correctly.&nbsp; On ISE we saw the users as authenticated. But on the switchport, they were showing in an unknown state "show authentication sessions".&nbsp; Bouncing the port caused the users to re-authenticate, but still the port stayed in unknown state.&nbsp; The only work around was to remove the&nbsp;<STRONG class="cCN_CmdName">authentication event server dead action</STRONG>&nbsp;<STRONG>vlan 10 </STRONG>and then bounce the port.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>So I am trying to work out why this config may have caused this issue?&nbsp; Any ideas?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Apr 2018 09:08:29 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/3374360#M73105 Stuart C 2018-04-27T09:08:29Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/4434083#M568495 <P>Hi,</P><P>&nbsp;</P><P>This is critical auth for multi-domain:</P><P>&nbsp;</P><P>switchport mode access</P><P>switchport access vlan &lt;X&gt;</P><P><STRONG>authentication host-mode multi-domain</STRONG></P><P><STRONG>authentication event server dead action authorize</STRONG></P><P>authentication event server dead action authorize voice</P><P>authentication event server alive action reinitialize</P><P>&nbsp;</P><P>No need to specify the VLAN. It is the access port VLAN.</P><P>&nbsp;</P><P>This is critical auth for multi-auth:</P><P>&nbsp;</P><P>switchport access vlan &lt;X&gt;</P><P>switchport mode access</P><P><STRONG>authentication host-mode multi-auth</STRONG></P><P><STRONG>authentication event server dead action reinitialize vlan &lt;X&gt;</STRONG></P><P>authentication event server dead action authorize voice</P><P>authentication event server alive action reinitialize</P><P>&nbsp;</P><P>Please check you switchport config.</P><P>&nbsp;</P><P>BR,</P><P>Octavian</P><P>&nbsp;</P> Thu, 15 Jul 2021 22:06:23 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/4434083#M568495 Octavian Szolga 2021-07-15T22:06:23Z https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/5340509#M598630 <P>Hi Octavian,</P> <P>&nbsp;</P> <P>Actually, at least on newer IOS versions(17.12+), in case of multi-domain, you might want to stay away from authorizing also the voice:</P> <P>switchport mode access</P> <P>switchport access vlan &lt;X&gt;</P> <P><STRONG>authentication host-mode multi-domain</STRONG></P> <P><STRONG>authentication event server dead action authorize</STRONG></P> <P>authentication event server alive action reinitialize</P> <P>&nbsp;</P> <P>If you also add 'authentication event server dead action authorize voice' your data vlan users will get authorized on both data and voice VLANs and their MAC addresses will show up in both VLANs. Works for end user, but very messy.</P> <P>For this setup suggest using also:</P> <P>radius server ISE1<BR />automate-tester username Test_User ignore-acct-port probe-on</P> <P>&nbsp;</P> <P>This way your switch stops assuming radius server is back up after the deadtime expires, which will not cause the reinitialize from alive action that would have caused few seconds of downtime on the endpoint.</P> <P>&nbsp;</P> <P>KR,</P> <P>Bogdan</P> Tue, 21 Oct 2025 10:33:37 GMT https://community.cisco.com/t5/network-access-control/authentication-event-server-dead-action-for-radius-group/m-p/5340509#M598630 bogdan.sileanu 2025-10-21T10:33:37Z