Solved: Re: Behaviour of authentication alive action configuration

georgehewittuk1 · ‎03-06-2018

Hello,

Regarding this statement "authentication event server alive action reinitialize" if it is not included in switchport configuration when dead events are configured to use for example a specifc VLAN only what will be the behaviour? Will it not go back to authentication from the ISE until restarted?

Thanks
George

Rob Ingram · ‎03-06-2018

Hi, Assuming you have the command "authentication event server dead action authorize" this will authorise a session (re-authenticating or new) in the critical auth vlan, in the event the AAA servers are marked down.

When the AAA servers are alive again the command "authentication event server alive action reinitialize" will automatically re-authorise the session, removing the client from the critical auth vlan and assigning the correct vlan/dacl or whatever is pushed down when authorised from ISE.

If you don't have that command configured the client will just sit there in the critical auth vlan, until they manually reset their network connection, at which point authentication will be attempted again and they should be authenticated by ISE.

HTH

View solution in original post

Rob Ingram · ‎03-06-2018

Hi, Assuming you have the command "authentication event server dead action authorize" this will authorise a session (re-authenticating or new) in the critical auth vlan, in the event the AAA servers are marked down.

When the AAA servers are alive again the command "authentication event server alive action reinitialize" will automatically re-authorise the session, removing the client from the critical auth vlan and assigning the correct vlan/dacl or whatever is pushed down when authorised from ISE.

If you don't have that command configured the client will just sit there in the critical auth vlan, until they manually reset their network connection, at which point authentication will be attempted again and they should be authenticated by ISE.

HTH

Terence.Jh · ‎08-03-2023

In my test environment, using a C9300, version 17.6.5, after configuring the following commands, if the ISE goes down, although it can be assigned a crisis VLAN, the terminal will disconnect from the network every 60s and reacquire the crisis VLAN after 40s

Can anyone tell me how to fix the problem?
I want the terminal to not drop every 60s after getting the crisis VLAN authorization

Rob Ingram · ‎08-03-2023

@Terence.Jh AFAIK only once the RADIUS servers are available again will the session reinitialize.

Are you sure Critical Auth has been applied to the session? Please provide the output of "show authentication session int gig1/0/1 detail"

Terence.Jh · ‎08-04-2023

hi rob

You can see that I used 2 null0 routes to simulate ISE downtime

and re-shutdown the interface to trigger a new authentication session for the client when ISE is down

After about 30s, the authentication fails and the client gets the crisis vlan

But after 60 seconds or so, the endpoint exits and a new authentication occurs, the reason seems to be that the switch doesn't think the ISE is dead, the switch looks at the AAA servers and they think the ISE is still running. In this cycle, the endpoint acquires the crisis VLAN for 60s, after which it triggers re-authentication and continues to acquire the crisis VLAN for 60s 。。。。。

andrewswanson · ‎08-03-2023

Do you have "dot1x critical eapol" configured on the switch - this will send the client an EAP-success during a critical authentication event.
hth
Andy

Terence.Jh · ‎08-04-2023

of course

my switch configuration has this commands