802.1x authentication when CiscoSecure is down

jalcala · ‎01-04-2005

I'm setting up Switch Port Authentication on my Catalysts using the CiscoSecure appliance and the Windows Active Directory user database.

Everything works fine on the lab, but I need a way to enable all ports on the switches when the CiscoSecure is down (no communication from the switch to the CiscoSecure). This way, I could give network access to the users in case my CiscoSecure server goes down.

Any suggestion?

gfullage · ‎01-04-2005

In your AAA command, do the following:

> aaa authentication dot1x default group radius none

The none keyword is a backup authentication method in case the Radius authentication fails (because the server is unavailable, not because of an incorrect username/password), and the switch should authenticate the user automatically.

jalcala · ‎01-05-2005

I did as suggested (add the "none" keyword to the aaa configuration) but it's still not working.

The "none" keyword works well with my Tacacs configuration for line access control to the switches and routers, but applied to the Radius configuration as suggested it seems to do nothing (if the ACS is not on the network, the switch ports remains disabled).

gfullage · ‎01-10-2005

My apologies, I've been reliably informed that using the "none" keyword on the dot1x auth method does not at this time work.

At this time there is no workaround for when the Radius server is unavailable. Your best bet is to set up a backup Radius server, implement DB Replication between the two to sync up their configs, and configure the backup Radius server on your switches.

jalcala · ‎01-11-2005

Thanks a lot. I guess we'll need to setup a backup serer.