Re: authentication event server dead action for radius group

tomi.sirait · ‎09-14-2014

Hi,

Need help to understand "authentication event server dead " on interface configuration of the IOS.

I found this applies globally, I mean this condition is triggered if all radius servers are dead.

How if we want to make this condition for only one group of radius?

BR

Tomi

nspasov · ‎09-15-2014

The command is used to configure action(s) that will be taken for ports configured for authentication in the event when all Radius servers become unavailable. For instance:

authentication event server dead action authorize vlan 55

authentication event server alive action reinitialize

With the above syntax, the configured port will be authorized/fail-open to VLAN 55 if/when the globally configured Radius servers become unavailable. Once the server(s) become available again all of the configured ports will be re-initialized, thus forcing them to perform regular dot1x/mab authentication.

The command is configured per-port and cannot be tied to a set of Radius servers. The radius servers used are configured under your global aaa commands.

Hope this helps

Thank you for rating helpful posts!

niketan sutar · ‎05-15-2016

hi Neno,

one small query here.

now the command also gives <cr> on

authentication event server dead action authorize ?

so if i do not specify any VLAN what happens then???

thanks,

Nick

Stuart C · ‎04-27-2018

HI,

What would happen in this scenario.

Access port configured into VLAN50 "switchport access vlan 50" but the radius server dead configuration "authentication event server dead action vlan 10. Vlan 10 does not exist on the switch however, only vlan 50.

I've come across this config and it seemed to cause a problem, i'm just trying to find out why. This was the issue. ISE went unreachable from local switch. Only phones on the switch stayed authenticated. The PCs dropped off the network.

When ISE came back up the PCs still didn't authenticate correctly. On ISE we saw the users as authenticated. But on the switchport, they were showing in an unknown state "show authentication sessions". Bouncing the port caused the users to re-authenticate, but still the port stayed in unknown state. The only work around was to remove the authentication event server dead action vlan 10 and then bounce the port.

So I am trying to work out why this config may have caused this issue? Any ideas?

Thanks

Venkatesh Attuluri · ‎09-16-2014

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html#wp1274284

link explains the following command

authentication event server dead action {authorize | reinitialize} vlan vlan-id

this is interface level command

Octavian Szolga · ‎07-15-2021

Hi,

This is critical auth for multi-domain:

switchport mode access

switchport access vlan <X>

authentication host-mode multi-domain

authentication event server dead action authorize

authentication event server dead action authorize voice

authentication event server alive action reinitialize

No need to specify the VLAN. It is the access port VLAN.

This is critical auth for multi-auth:

switchport access vlan <X>

switchport mode access

authentication host-mode multi-auth

authentication event server dead action reinitialize vlan <X>

authentication event server dead action authorize voice

authentication event server alive action reinitialize

Please check you switchport config.

BR,

Octavian