11-02-2010 08:45 AM - edited 03-10-2019 05:32 PM
We have a problem with Catalyst 4510R-E, Sup 6-E, IOS 12.2(54)SG (same issue repeats with IOS 12.2(53) SG3 as well) do1x authentication when RADIS server is inaccessible. Switch port simple doesn’t go into critical (server dead) vlan, but stays in access vlan 40.
Same configuration with 3750 switch and IOS 12.2(55)SE works.
Below is the configuration of the switch:
aaa group server radius dot1x
server-private 10.200.1.27 key 7 1
server-private 10.200.1.26 key 7 1
ip vrf forwarding data
ip radius source-interface Vlan100
!
aaa authentication dot1x default group dot1x
aaa authorization network default none
interface GigabitEthernet1/48
description TEST DOT1X
switchport access vlan 40
switchport mode access
authentication event server dead action authorize vlan 240
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10
dot1x timeout start-period 20
spanning-tree portfast
interface Vlan40
ip vrf forwarding data
ip address 10.10.10.1 255.255.255.0
ip radius source-interface Vlan100 vrf data
radius-server dead-criteria time 3 tries 2
radius-server host 10.200.1.27 auth-port 1645 acct-port 1646 test username admin idle-time 1
radius-server host 10.200.1.26 auth-port 1645 acct-port 1646 test username admin idle-time 1
radius-server deadtime 3
dot1x system-auth-control
dot1x critical eapol
Does anyone have an idea what we could do to resolve this?
11-05-2010 10:29 AM
Hello,
How are you testing this? Once the radius server goes down are you attempting another authentication? Existing ports will not be moved to 240 but if another authentication is kicked off and the RADIUS servers are down then VLAN 240 will be applied. Here is the description of what this feature does when the RADIUS server goes down:
--Jesse
11-09-2010 07:55 AM
Hi,
Both RADIUS server are connected to the location with Catalyst 4510 switch through WAN link. We test RADIUS server inaccessability by shuting down WAN connection. Still dot1x port doesn't go into auth-failed (server dead) VLAN. This switch port appears unauthenticated in VLAN 40.
Regards,
Vesna
12-17-2010 12:18 AM
To verify the auth-fail vlan, the AAA server should be alive and it should reject the user.May be wrong username or password can be sent.
The way you are testing is for critical-vlan means the AAA server is not reachable/responding. Hope this clarifies.
12-17-2010 12:40 AM
Hi,
Sorry, I wrote wrong description of the problem. The problem is when RADIUS servers are inaccessible dot1x port doesn't enter critical vlan. It stays unauthentificated in vlan 40.
12-18-2010 10:36 PM
Dear Vciric
The critical vlan is applied when the radius servers are down and you are trying with a new authentication i.e. if the user was already authorized he will not be requested to authenticate again till the 802.1x timed out on the switch port.
So, if you want to test the critical vlan
Hope this answer help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide