Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2272
Views
0
Helpful
1
Replies

802.1x Fallback Authentication Doesn't Work

Go to solution
paul.gordon
Level 1
Level 1

‎07-20-2004 10:45 PM - edited ‎03-10-2019 07:55 AM

According to CCO documentation, the following command should make a switch try doing 802.1x authentication for users. If that fails, the switch should fall back to doing no authentication. This prevents users from being locked out of the network if the AAA/RADIUS server goes down.

aaa authentication dot1x default group radius none

However, this command doesn't work, at least not on Catalyst IOS-based switches. If you turn the RADIUS server off, the switch keeps trying to use RADIUS regardless of the above command, even though the debug says that the RADIUS server is dead.

This directly conflicts with the following doc:

http://www.cisco.com/en/US/customer/products/hw/switches/ps646/products_command_reference_chapter09186a00801cdf12.html#1995856

This is quite bad as anyone who has implemented 802.1x will be locked out of their network if the RADIUS server goes down.

Wireless access points don't have this problem as they can use a local RADIUS server. But it's a big problem for anyone who has 802.1x running on wired networks.

When will Cisco be fixing this problem?

Thanks.

PAUL G.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jafrazie
Cisco Employee
Cisco Employee

‎07-21-2004 06:31 AM

This does not work for 802.1x and Catalyst switches.

We will fix the documentation.

Also, Wireless APs don't have this problem with LEAP.

Hence, the challenge with wired.

Numerous EAP-types, numerous types of backend databases, etc. all need consideration.

We will have a knob configurable in the near future to address this, but as always, redundancy is recommended.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jafrazie
Cisco Employee
Cisco Employee

‎07-21-2004 06:31 AM

This does not work for 802.1x and Catalyst switches.

We will fix the documentation.

Also, Wireless APs don't have this problem with LEAP.

Hence, the challenge with wired.

Numerous EAP-types, numerous types of backend databases, etc. all need consideration.

We will have a knob configurable in the near future to address this, but as always, redundancy is recommended.

0 Helpful
Customers Also Viewed These Support Documents