cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2544
Views
5
Helpful
3
Replies

Critical Auth VLAN not working

dodgerfan78
Level 1
Level 1

I am testing a critical auth VLAN config but it looks like I it is not working. The port has a phone and then a PC attached to the phone. Config is below. What happens is that the PC will still get an IP on VLAN 429 (even after ipconfig renew or port bounce). I have verified the AAA servers are down and you can see the status as Critical_Auth_VLAN. Am I missing something? Thanks.

 

 

interface GigabitEthernet0/4
 description ISE-TEST-lan
 switchport access vlan 429
 switchport mode access
 switchport voice vlan 428
 ip device tracking maximum 10
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 433
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast edge
end

3560#sho span
3560#sho spanning-tree vlan 433 | inc 0/4
Gi0/4               Desg FWD 4         128.4    P2p Edge 

3560#show aaa servers | inc State
State: current DEAD, duration 12155s, previous duration 33360s
State: current DEAD, duration 12125s, previous duration 32873s

3560#s4 | in Temp
Service Template: CRITICAL_AUTH_VLAN_Gi0/4 (priority 150)
Service Template: CRITICAL_AUTH_VLAN_Gi0/4 (priority 150)

 

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi,

 

Think there is a mistake in your configuration.

authentication event server dead should have an action 'authorize' and not reinitialize. Try this and it should work. autentication event server alive is correct it should be reinitialize.

authentication event server dead action authorize

Thanks

krishnan

View solution in original post

3 Replies 3

dodgerfan78
Level 1
Level 1
Some how this got put in the Policy and Access section and not ISE...and I cannot delete this to move it...Why no option to delete?

Both are monitored the same. Actually likely a switching question might be better to move there

kthiruve
Cisco Employee
Cisco Employee

Hi,

 

Think there is a mistake in your configuration.

authentication event server dead should have an action 'authorize' and not reinitialize. Try this and it should work. autentication event server alive is correct it should be reinitialize.

authentication event server dead action authorize

Thanks

krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: