Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3155
Views
5
Helpful
3
Replies

Critical Auth VLAN not working

Go to solution
dodgerfan78
Level 1
Level 1

‎01-02-2019 01:46 PM - edited ‎03-11-2019 01:53 AM

I am testing a critical auth VLAN config but it looks like I it is not working. The port has a phone and then a PC attached to the phone. Config is below. What happens is that the PC will still get an IP on VLAN 429 (even after ipconfig renew or port bounce). I have verified the AAA servers are down and you can see the status as Critical_Auth_VLAN. Am I missing something? Thanks.

 

 

interface GigabitEthernet0/4
 description ISE-TEST-lan
 switchport access vlan 429
 switchport mode access
 switchport voice vlan 428
 ip device tracking maximum 10
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 433
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast edge
end

3560#sho span
3560#sho spanning-tree vlan 433 | inc 0/4
Gi0/4               Desg FWD 4         128.4    P2p Edge 

3560#show aaa servers | inc State
 State: current DEAD, duration 12155s, previous duration 33360s
 State: current DEAD, duration 12125s, previous duration 32873s

3560#s4 | in Temp
 Service Template: CRITICAL_AUTH_VLAN_Gi0/4 (priority 150)
 Service Template: CRITICAL_AUTH_VLAN_Gi0/4 (priority 150)

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎01-02-2019 04:33 PM

Hi,

 

Think there is a mistake in your configuration.

authentication event server dead should have an action 'authorize' and not reinitialize. Try this and it should work. autentication event server alive is correct it should be reinitialize.

authentication event server dead action authorize

Thanks

krishnan

View solution in original post

3 Replies 3

Go to solution
dodgerfan78
Level 1
Level 1

‎01-02-2019 01:50 PM

Some how this got put in the Policy and Access section and not ISE...and I cannot delete this to move it...Why no option to delete?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dodgerfan78

‎01-02-2019 02:38 PM

Both are monitored the same. Actually likely a switching question might be better to move there
0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎01-02-2019 04:33 PM

Hi,

 

Think there is a mistake in your configuration.

authentication event server dead should have an action 'authorize' and not reinitialize. Try this and it should work. autentication event server alive is correct it should be reinitialize.

authentication event server dead action authorize

Thanks

krishnan

Top