Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2482
Views
2
Helpful
2
Replies

Dead Action Authorize in MultiAuth Mode

Go to solution
paul
Level 10
Level 10

‎09-25-2016 06:20 AM

I am trying to get a definitive answer on what version of IOS support "dead action authorize" when the port is in multiauth mode.  I am finding conflicting information including in some of the TrustSec guides.

I am testing on my lab 3560 on 12.2(55)SE10 and it definitely doesn't seem to be supported there, only "dead action reinitialize" works.  If I switch the port to multidomain mode the "dead action authorize" works as expected. 

I thought when I had tested this in the past on other versions of code the "dead action authorized" was supported on multiauth ports but now I am having my doubts. 

Any insight would be appreciated.

Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-26-2016 09:46 AM

The behavior never changed since introduction of the feature AFAIK. 'dead action authorize' works only with multi-domain, while 'dead action reinitialize' works only with multi-auth. So following interface configuration combination will trigger the dead action:

authentication host-mode multi-domain

authentication event server dead action authorize (vlan xxx)

or

authentication host-mode multi-auth

authentication event server dead action reinitialize vlan xxx

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-26-2016 09:46 AM

The behavior never changed since introduction of the feature AFAIK. 'dead action authorize' works only with multi-domain, while 'dead action reinitialize' works only with multi-auth. So following interface configuration combination will trigger the dead action:

authentication host-mode multi-domain

authentication event server dead action authorize (vlan xxx)

or

authentication host-mode multi-auth

authentication event server dead action reinitialize vlan xxx

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to howon

‎09-26-2016 02:06 PM

Hi Paul,

To add to what Hosuk was saying, the reason behind that is the fact you don't want to reinitialize IP phones that are usually part of voice domain.

IEEE 802.1X Multidomain Authentication  [Support] - Cisco Systems

Multi-auth has several restrictions and port is usually authorized by the first host.

IEEE 802.1X Multiple Authentication  [Support] - Cisco Systems

In this case it make sense to re-initialize to a different VLAN if authentication server is not available. This VLAN is the critical auth VLAN.

Thanks

Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents