802.1X fail/no-response vs dead event

ICTDAMICO · ‎03-13-2025

Good afternoon everyone,

I am trying to configure 802.1x on my cisco 9300 sw 17.06.04.

Everything works ok but I can't make the server dead/alive critical event working together with the fail/no-response events.

My goal is to authorize devices on vlan 10, authorize fail or no-response devices on vlan 36 and to authorize device on vlan 10 in case of a critical situation where the aaa server are down.

Despite I have found several discussions describing exactly this scenario the fail or no-response events are always triggered (when configured) if the aaa servers are down.

Is my scenario possible or the fail and no-response events are not compatible with the server dead event ?

Another question: the devices only ask once the credentials (I am testing without certificates atm). Would be possible to be asked twice in case the radius server returns a fail event ?

Working configuration with only the critical condition:

switchport access vlan 10
switchport mode access
authentication control-direction in
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 1
dot1x max-reauth-req 1
spanning-tree portfast

In this configuration the Fail or no-response events triggers even if the servers are down:

switchport access vlan 10
switchport mode access
authentication event server dead action authorize
authentication event fail retry 1 action authorize vlan 36
authentication event no-response action authorize vlan 36
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication port-control auto
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 1
dot1x max-reauth-req 1
spanning-tree portfast

Arne Bier · ‎03-13-2025

I don't use IBNS 1.0 anymore - but here is my understanding of it. First of all, let's make sure we agree on what each event means:

The two events below relate to the endpoint's response to EAPOL frames

authentication event fail - there was EAPOL traffic, but RADIUS server replied with EAP FAIL
authentication event no-response - the endpoint did not engage in any EAPOL conversation (no supplicant)

The two events below relate to the RADIUS server group

authentication event server dead - none of the servers in the aaa group replied
authentication event server alive - at least one of the servers in the aaa group is responding again

If your endpoints are always triggering the first two events, then check the ISE Live Logs for clues - it appears that either the supplicant is not playing the game, or ISE is not handling the 802.1X correctly - either way, the switch concluded that 802.1X did not end in EAP Success.

In the event of server dead, there is one IOS global command that you must also configure on all switches, to allow the switch to send EAP Success to endpoints to "fake" a success on behalf of the unavailable RADIUS server:

dot1x critical eapol

A good reference is this Cisco Guide that talks in more detail about IBNS 1.0 and IBNS 2.0

Regarding: "Another question: the devices only ask once the credentials (I am testing without certificates atm). Would be possible to be asked twice in case the radius server returns a fail event ?" - if you were using Machine Authentication (for AD Domain Joined endpoints) then this would happen automatically and no user input required. But it sounds like you are doing user authentication - which BTW is not ideal for many reasons and in future will be disabled by Windows 11 (Credential Guard) - you can get around it but it's being discouraged for good reasons. I don't know how to make the Windows supplicant retry X number of times - there is no option in ISE to allow repeated attempts. An EAP fail is an EAP fail. I would recommend to use Machine Auth if your devices are domain joined. If not, then I would recommend certificate auth (EAP-TLS) or EAP-TEAP.