cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1487
Views
0
Helpful
5
Replies

Dot.1x Inaccessible Authentication Bypass

richarddsmitt
Level 1
Level 1

Hi ,

 

I configured Critical vlan on my 2960-X switch , everything works perfect , as I expected when the Radius (ISE1.3) goes down , ports are placed in Critical vlan but here there is a problem , after the ports put in Critical VLAN the IP and The mac address in the output of "Sho authe session "  command , showed UNKNOWN ,

Actually the system get the IP correctly and the IP to MAC binding is correct in IP DHCP Binding and IP device Tracking output , but the output siad unknown IP and MAC ,,

Is there any idea for that ?

 

 

thanks

5 Replies 5

nspasov
Cisco Employee
Cisco Employee

Hello Richard-

A couple of questions:

1. Does the device have internet/intranet access during the critical auth?

2. Can you post your Radius and switchport configs?

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Hi neno ,

 

Actually , No it does not any access to Internet Or Intranet ,

yes here is my configuration :

 

interface GigabitEthernet1/0/1
 switchport access vlan 172
 switchport mode access
 authentication event server dead action authorize vlan 501
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 20
 dot1x max-reauth-req 10
 spanning-tree portfast

aaa new-model
!
!
aaa group server radius ISE
 server name ISE-15
!
aaa authentication login default local
aaa authentication enable default none
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE

aaa server radius dynamic-author
 client 172.16.25.15 server-key cisco
!

ip device tracking

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 send nas-port-detail
radius-server attribute 31 remote-id
radius-server vsa send cisco-nas-port
!

radius server ISE-15
 address ipv4 172.16.25.15 auth-port 1812 acct-port 1813
 timeout 10
 retransmit 2
 automate-tester username tester probe-on
 key cisco

 

 

 

Hmm, what version of code are you running? Also, can you post the output of the "show authentication session.." command? Last but not the least, have you confirmed that the critical VLAN exists in the switch VLAN database and it is allowed on the upstream trunk ports?

Thank you for rating helpful posts!

Thank you for rating helpful posts!

The version which is running on my 2960-X is  cisco suggested IOS : " 15.0(2)EX5 "

and also I have a same problem with common 2960 ,

yes all the switching infrastructure work properly as I said IP Assignment is in placed but there is no report in sho command  ,

here is the output of "sho auth sessions "

 

2960-x-B#sho auth sessions int gi 1/0/1
            Interface:  GigabitEthernet1/0/1
          MAC Address:  Unknown
           IP Address:  Unknown

               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Critical Auth
          Vlan Policy:  501
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC10191A0000000F0005481A
      Acct Session ID:  0x00000012
               Handle:  0x8B000010

Runnable methods list:
       Method   State
       dot1x    Authc Failed

Critical Authorization is in effect for domain(s) DATA

#######################

2960-x-B#sho ip device tracking  int gi 1/0/1
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
  IP Address     MAC Address   Vlan  Interface                STATE    
-----------------------------------------------------------------------
172.50.1.17     1078.d28e.d34a  501  GigabitEthernet1/0/1     ACTIVE

Hi Richard,

Sorry for hijacking your thread, but I have the same problem.

¿could you find a solution to this?

 

TIA