Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
5
Helpful
6
Replies

aaa authentication commands understanding

Go to solution
Naive
Level 1
Level 1

‎05-21-2023 06:39 AM

Hello Everyone,

In a deployment of aaa configuration, Need some understanding for below 2 commands

authentication event fail retry 0 action authorize vlan 805

As far I understand it means if authentication fails, the device is assigned to vlan 805. but I am confused about retry timer, in Cisco documentation retry timer range is from 1 to 3, not sure why 0 is there. 

authentication event no-response action authorize vlan 505

As per the docs for this command, if client does not send any EAP packet,  the switch placed in 505 vlan after a timeout period, then I am thinking what about MAB authentication, Under MAB authentication also no EAP packet, so how flow works with that scenario. 

and Is this vlan also called guest vlan (505)

 

 

 

 

2 Accepted Solutions

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎05-21-2023 06:48 AM - edited ‎05-21-2023 06:54 AM

Hello @Naive,

Thie first command states that if the authentication process fails, the device will be assigned to VLAN 805. However, you're correct in pointing out that the retry timer value of 0 seems unusual. In Cisco documentation, the range for the retry timer is typically 1 to 3, where it specifies the number of retries before taking action. It's possible that using a value of 0 in this command disables the retry functionality, meaning that if authentication fails, the device will be immediately assigned to VLAN 805 without any retries.

Fort the second command, in the scenario of MAB authentication, where EAP packets are not used, the switch will still consider the lack of response (e.g., due to an incorrect or unauthorized MAC address) as a failure to authenticate, triggering the action to assign the device to VLAN 505.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-13-2023 04:14 PM

Searching the Cisco IOS Security Command Reference: Commands A to C for authentication event fail retry I found the description of the command:

Configuring the Number of Authentication Retries

You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.

I don't know your source for the command with a 0 so I don't know why it is there either.

As for authentication event no-response action authorize vlan, the authentiation event * commands are there as local switchport options for bad events (fail, dead server, no-response, etc.). Assuming MAB is configured, and you receive a response, it should take precedence.

Perhaps if MAB is not configured, then the VLAN in this command is used. The IOS-XE docs are incredibly vague about the behavior with MAB.

Best to test the behavior in your lab if you want to use it.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
M02@rt37
VIP
VIP

‎05-21-2023 06:48 AM - edited ‎05-21-2023 06:54 AM

Hello @Naive,

Thie first command states that if the authentication process fails, the device will be assigned to VLAN 805. However, you're correct in pointing out that the retry timer value of 0 seems unusual. In Cisco documentation, the range for the retry timer is typically 1 to 3, where it specifies the number of retries before taking action. It's possible that using a value of 0 in this command disables the retry functionality, meaning that if authentication fails, the device will be immediately assigned to VLAN 805 without any retries.

Fort the second command, in the scenario of MAB authentication, where EAP packets are not used, the switch will still consider the lack of response (e.g., due to an incorrect or unauthorized MAC address) as a failure to authenticate, triggering the action to assign the device to VLAN 505.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
Naive
Level 1
Level 1
In response to M02@rt37

‎05-22-2023 01:19 AM

Thanks for the reply M02@rt37 , However I am still not understand flow in the case of 2nd command, Is there any flow diagram or cisco doc I am able to find.

Go to solution
MHM Cisco World
VIP
VIP
In response to Naive

‎05-22-2023 06:24 AM

Your Q if there is prize, I will give it to you. 
Sure your Q is interest, 
the no-response is depend on missing 802.1x and but if the MAB is config under interface what is the behaviour of SW?
that need some check the command reference and some guide 
I will update you soon 
thanks 
MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-22-2023 04:31 PM

I check the security book and some ciscolive slide and command reference 
this command not work if you config MAB.
thanks 
MHM

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-13-2023 04:14 PM

Searching the Cisco IOS Security Command Reference: Commands A to C for authentication event fail retry I found the description of the command:

Configuring the Number of Authentication Retries

You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.

I don't know your source for the command with a 0 so I don't know why it is there either.

As for authentication event no-response action authorize vlan, the authentiation event * commands are there as local switchport options for bad events (fail, dead server, no-response, etc.). Assuming MAB is configured, and you receive a response, it should take precedence.

Perhaps if MAB is not configured, then the VLAN in this command is used. The IOS-XE docs are incredibly vague about the behavior with MAB.

Best to test the behavior in your lab if you want to use it.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎06-15-2023 12:09 PM

Out of interest, where did you get those lines from? a study guide? or an actual device config? I believe the 0 timer can be set to the "authentication event fail retry" command which allows setting a timer value between 0 and 5. Setting that timer to zero means don't wait for any failure retry. However, the timer of the command "authentication event retry" is the one that has the allowed values from 1 to 3. AFAIK both commands would do the same, and I think the last command can be included in the same config line where you define the critical VLAN ID, and I think these commands would be related to the dot1x supplicant failures. However, the "authentication event no-response" comamnd would be more related to the ports that are configured and connected to the devices doing MAB. In fact this command would move the port into the critical VLAN if no EAP packets will be received on that port.

0 Helpful
Customers Also Viewed These Support Documents