01-21-2007 10:51 PM - edited 03-10-2019 02:56 PM
The critical authentication feature does not seem to work. Port does not move to authorized state if RADIUS (ACS) server is not available. In fact, it even seems to break the Authentication Fail VLAN functionality.
If RADIUS server is not available and user/machine tries to authenticate, the port fails authentication and remains in unauthorized state and does not even move to AuthFail VLAN.
Any ideas?
01-22-2007 07:52 AM
What's the configuration of your switch?
01-22-2007 06:15 PM
dot1x and aaa related switch configuration follows:
Global Config:
aaa new-model
aaa group server radius acsrad
server A.B.C.D auth-port 1645 acct-port 1646
server W.X.Y.Z auth-port 1645 acct-port 1646
!
aaa group server tacacs+ acstac
server A.B.C.D
server W.X.Y.Z
aaa authentication login default group acstac local
aaa authentication dot1x default group acsrad
aaa authorization exec default group acstac if-authenticated
aaa authorization network default group acsrad if-authenticated
aaa accounting update periodic 5
aaa nas port extended
!
aaa session-id common
tacacs-server host A.B.C.D key 7 XXXXXXXXXXX
tacacs-server host W.X.Y.Z key 7 XXXXXXXXX
tacacs-server directed-request
radius-server dead-criteria time 5 tries 2
radius-server host A.B.C.D auth-port 1645 acct-port 1646 test username XXXX idle-time 1 key 7 XXXXXXXXXX
radius-server host W.X.Y.Z auth-port 1645 acct-port 1646 test username XXXX idle-time 1 key 7 XXXXXXXXXXXX
radius-server source-ports 1645-1646
radius-server deadtime 1
radius-server vsa send authentication
dot1x system-auth-control
dot1x critical recovery delay 2000
dot1x critical eapol
Interface configuration:
switchport access vlan x1
switchport mode access
dot1x critical recovery action reinitialize
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 30
dot1x timeout server-timeout 5
dot1x reauthentication
dot1x guest-vlan x2
dot1x auth-fail vlan x2
dot1x critical vlan 101
arp timeout 60
spanning-tree portfast
================================
I have tried making the critical vlan to be the same as the access vlan as well as the Auth-Fail vlan but the results are same.
01-23-2007 07:37 AM
You're missing "dot1x critical" on the port (it's a separate command from the VLAN definition).
Hope this helps,
05-29-2012 05:46 AM
Hello,
I also have the same problem. When raidus servers are dead, client is not assigned to critical vlan. it is treated authentication failed and then assigned to auth-fail vlan.
where I am doing the mistake?
here the config,
radius-server host 172.16.1.220 auth-port 1645 acct-port 1646 test username qawsed idle-time 1 key xxx
radius-server host 172.16.1.221 auth-port 1645 acct-port 1646 test username qawsed idle-time 1 key xxx
radius-server source-ports 1645-1646
radius-server deadtime 30
radius-server dead-criteria time 5 tries 2
dot1x system-auth-control
dot1x critical recovery delay 2000
dot1x critical eapol
aaa new-model
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa authorization configuration default group radius
interface GigabitEthernet0/1
switchport access vlan 140
switchport mode access
dot1x critical
dot1x critical recovery action reinitialize
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 10
dot1x guest-vlan 140
dot1x auth-fail vlan 140
dot1x auth-fail max-attempts 2
dot1x critical vlan 150
spanning-tree portfast
05-29-2012 06:08 AM
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa authorization configuration default group radius
You must change this configuration as below :
aaa authentication dot1x default group radius
aaa authorization network default group radius if-authenticated
aaa authorization configuration default group radius
Hope this helps,
05-29-2012 06:16 AM
OMG it is working thanks alot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide