Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
2
Replies

802.1x with Certificate based authentication and MAB been unsuccessful

ashok10-mohan
Level 1
Level 1

‎04-25-2025 03:42 AM

Hi

I have established an 802.1x environment utilizing credential and certificate-based authentication by configuring the Cisco 3650 switch along with a virtual machine that includes Active Directory and Network Policy Server.

The credentials and certificate, tested on one virtual machine and one physical machine, appear to be functioning properly.

I have also evaluated scenario i.e., where 802.1x with certificate-based authentication, along with a fallback to MAC address, appears to be functioning effectively.

I intended to establish a redundant server, which has been set up with Active Directory and Network Policy Server, mirroring the same policy configurations as the primary server, and the secondary server has also been configured in the switch.

I would appreciate it if some experts could provide clarification on a few below questions I have.

  1. When the primary server is down, the authentication process should redirect to the secondary server; however, it fails because the primary server is unavailable?
  2. In the event that 802.1X certificate validation is unsuccessful and the system resorts to MAC Authentication Bypass (MAB) as an alternative method with the Network Policy Server (NPS), but NPS is inoperative or Active Directory (AD) is inaccessible for authentication verification, what other potential solutions can be implemented to verify authentication and provide access when NPS/AD/Radius is unavailable?
  3. Is it possible to utilize the 'Local Switch Authentication' method, considering that both 802.1X and MAB with NPS have been unsuccessful? The ultimate fallback option is to authenticate through the local switch. It is important to note that this configuration instructs the switch to prioritize RADIUS authentication, reverting to local authentication only if RADIUS is not accessible?
  4. Aside from the local switch authentication, are there alternative mechanisms or solutions available when both 802.1X and MAB with NPS have been unsuccessful?
  5. Alternative to Windows NPS/Radius? 

Can anyone assist me with my questions? I would appreciate it if you could share the relevant links and commands for configuration.

Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎04-28-2025 01:41 PM

  1. When the primary server is down, the authentication process should redirect to the secondary server; however, it fails because the primary server is unavailable?
    RADIUS servers are just dumb worker nodes. They don't do anything unless spoken to. If your NAD (e.g. switch) has Server 1 as primary server, and makes a request, then it expects a reply. If it get no reply x times with delay y in between, then it will try Server 2. And so it goes in a circular fashion.
  2. In the event that 802.1X certificate validation is unsuccessful and the system resorts to MAC Authentication Bypass (MAB) as an alternative method with the Network Policy Server (NPS), but NPS is inoperative or Active Directory (AD) is inaccessible for authentication verification, what other potential solutions can be implemented to verify authentication and provide access when NPS/AD/Radius is unavailable?
    If 802.1X "fails" (what does that mean? - it can mean that either the supplicant has 802.1X configured, but the credentials didn't work ... or it can mean the endpoint has no supplicant and therefore the switch didn't get a response to the EAPOL frames) - either way, 802.1X "didn't work" - therefore you can fail back to MAB - this really means, that the switch is now open to processing the first Ethernet frame it receives and passes the MAC address to the RADIUS server for MAB analysis.  If the RADIUS server is not available for processing, then the switch can use the critical auth VLAN mode (in IBNS 1.0 and 2.0) - IBNS 2.0 has some more advancd failure features too. Search the web for "ISE wired deployment" and read the excellent guide.

  3. Is it possible to utilize the 'Local Switch Authentication' method, considering that both 802.1X and MAB with NPS have been unsuccessful? The ultimate fallback option is to authenticate through the local switch. It is important to note that this configuration instructs the switch to prioritize RADIUS authentication, reverting to local authentication only if RADIUS is not accessible?
    I am not aware of a Local switch authentication, other than the critical auth failure mode. To my knowledge, there is no database on the switch to act as a RADIUS server. IBNS 2.0 has some "caching" of previously successful authentications and it can quasi-act as a RADIUS server when the aaa group is "down" - but this only works for previously known endpoints, and it's bit tricky to setup.

  4. Aside from the local switch authentication, are there alternative mechanisms or solutions available when both 802.1X and MAB with NPS have been unsuccessful?
    Critical auth.

  5. Alternative to Windows NPS/Radius? 
    Ha ha - yes Cisco ISE. This is a Cisco forum after all. Other vendors also make RADIUS servers.  Meraki also has a light-weight solution. And in the open source, FreeRADIUS has been popular for many years. But it's all CLI config file driven - best left to those who are happy to work in the CLI.
0 Helpful

ashok10-mohan
Level 1
Level 1

‎05-05-2025 03:42 AM

My question is: 802.1x certificate validation fails for some reason, like the expired certificate, and trying to connect using MAB fallback mechanism with nps, however, nps is down, so it needs to re-authenticate with some other options, and

Can we choose the local switch as an option for the computer to authenticate when NPS/AD is down?

Possible solutions received from AI for my question:

When 802.1X certificate validation fails and the system attempts to use MAC Authentication Bypass (MAB) as a fallback mechanism with Network Policy Server (NPS), but NPS is down, the authentication process becomes more complex. In this scenario, the system needs to re-authenticate with the local switch for that computer to authenticate. Let's break down this process and explore the potential solutions.

Solution 1:

Configuring Local Authentication on the SwitchConfiguring Local Authentication on the Switch
Solution 2:

Configuring Local Authentication for computers on the Switch for 802.1xConfiguring Local Authentication for computers on the Switch for 802.1x

Solution 3:

Configure 802.1X first, then MAB, and falls back to local switch for authentication step by step configuration
Here’s a step-by-step configuration for a Cisco switch to attempt 802.1X authentication first, then fallback to MAB (MAC Authentication Bypass), and finally fallback to local authentication (such as placing the device in a restricted VLAN or applying a local ACL) if the RADIUS server is unreachable. This covers the scenario shown in your screenshot, where 802.1X authentication failed due to a user account problem.

Step 1: Enable AAA and Define Authentication Methods
configure terminal
aaa new-model
aaa authentication dot1x default group radius local
aaa authentication mab default group radius local
aaa authorization network default group radius local
This tries RADIUS first, then falls back to the local switch database if RADIUS is unavailable

Step 2: Configure RADIUS Server
radius server RADIUS-SERVER
address ipv4 <RADIUS-IP> auth-port 1812 acct-port 1813
key <shared-secret>
!
aaa group server radius RADIUS-GROUP
server name RADIUS-SERVER
!
(Replace <RADIUS-IP> and <shared-secret> with your actual RADIUS server’s IP and secret.)

Step 3: Configure the Interface for 802.1X, MAB, and Fallback
interface GigabitEthernet1/0/8
switchport mode access
authentication port-control auto
dot1x pae authenticator
mab
authentication order dot1x mab
authentication priority dot1x mab
authentication event fail action next-method
authentication event server dead action authorize vlan 999
authentication host-mode single-host
authentication order dot1x mab: Tries 802.1X first, then MAB3456.
authentication event fail action next-method: If 802.1X fails, try MAB46.
authentication event server dead action authorize vlan 999: If RADIUS is unreachable, place the device in VLAN 999 (a restricted VLAN for local fallback)6.
authentication port-control auto: Enables authentication on the port.

Step 4: (Optional) Configure Local User for MAB Fallback
If you want the switch to authenticate a device locally by MAC address (for MAB fallback):
username 000C2915X24C password 000C2915X24C
Use the MAC address as the username and password (format must match how the switch presents the MAC)

Step 5: (Optional) Apply an ACL to the Fallback VLAN
To restrict access for devices placed in the fallback VLAN:
ip access-list extended LOCAL-FALLBACK-ACL
permit ip any any ! (Or restrict as needed)
!
interface vlan 999
ip access-group LOCAL-FALLBACK-ACL in
This ensures limited access for devices authenticated locally when RADIUS is down.

Step 6: Save and Verify
end
write memory
show authentication sessions interface GigabitEthernet1/0/8
show dot1x all
show logging
Use these commands to verify authentication state and logs

I am not sure whether this solution works but when i checked in some AI it suggested me the above 3 solutions and i have shared them with commands. Kindly please help me to check and let me know if these solution using switch as authenticator works when NPS/AD is down.

I appreciate any help you can provide on this, thanks in advance!!
Ashok M

0 Helpful
Customers Also Viewed These Support Documents