Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
5
Helpful
2
Replies

Authentication Open Failure

Go to solution
Nicholas Copeland
Level 4
Level 4

‎10-16-2012 01:01 PM - edited ‎03-10-2019 07:40 PM

Is there away to stop the port from reauthenticating when a device fails to open. I am trying to set up low-impact mode on a wired network. And I have some WYSE terminals that I don't want to authenticate to the network so I would like them to fail open with an ACL limiting their access. However the switch continues to try and authenticate the device even after it has failed authentication. This is causing my logs on ISE to be full of bogus authentication failures. Is there a way to limit thoses errors or the the switchport from trying to reauthenticate? Below is the switchport config.

switchport access vlan 33

switchport mode access

switchport voice vlan 233

ip access-group ACL-DEFAULT in

authentication event fail retry 1 action next-method

authentication event server dead action authorize vlan 33

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kussriva
Level 1
Level 1

‎10-16-2012 04:13 PM

Hi Nicolas,

You can configure a Restricted VLAN using the command "authentication event fail action authorize vlan (number)" and limit the access for that vlan using ACLs.

You can refer to

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1179086 for more info.

HTH,

Regards,

Kush

View solution in original post

2 Replies 2

Go to solution
kussriva
Level 1
Level 1

‎10-16-2012 04:13 PM

Hi Nicolas,

You can configure a Restricted VLAN using the command "authentication event fail action authorize vlan (number)" and limit the access for that vlan using ACLs.

You can refer to

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1179086 for more info.

HTH,

Regards,

Kush

Go to solution
Nicholas Copeland
Level 4
Level 4
In response to kussriva

‎10-17-2012 06:51 AM

Perfect. I thought that would fail it from trying to do MAB. But it still runs through the order and then fails back to the VLAN.

0 Helpful
Customers Also Viewed These Support Documents