12-06-2019 06:10 AM
Hi
Im looking for conformation of the default behavior of DOT1x in the event that no authentication servers are available and equally can this be controlled.
I am mid deployment and testing and expect that my customer will require the network to permit some basic connectivity in the even that the radius server is unavailable.
for the removal of doubt this is not when authentication is rejected (fails) but when the authentication process fails.
Thanks in advance
PS this is for a 9300 using this type of config
policy-map type control subscriber DOT1X-POL
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using webauth parameter-map WEBAUTH_FALLBACK priority 30
30 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 terminate webauth
40 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 terminate webauth
30 authenticate using dot1x priority 10
Solved! Go to Solution.
12-09-2019 03:57 PM
Hi
A few things I've come across with critical authentication are:
hth
Andy
12-06-2019 09:55 AM
10-15-2020 01:24 AM
HI
I have implemented something very similar to your suggestion and I am successfully assigning a vlan and acl to the port on AAA failure
what does no see to be working is the process of when the AAA server recovers
I have this as the event
event aaa-available match-first
10 class IN_AAA_Down_ST do-until-failure
10 clear-session
class-map type control subscriber match-all IN_AAA_Down_ST
match activated-service-template AAA_Down
service-template AAA_Down
access-group AAA_DOWN_ACL_DATA
vlan 999
show policy-map type control subscriber detail
Event: event aaa-available match-first
Class-map: 10 class IN_AAA_Down_ST do-until-failure
Action: 10 clear-session
Executed:0
Thoughts?
Andy
10-15-2020 02:10 AM
Hi
What does the output of "show aaa servers" show when your aaa server transitions from dead to alive? Do you see "State: current UP" and "Platform State from SMD: current UP"?
Andy
10-15-2020 02:17 AM
sh aaa servers
RADIUS: id 1, priority 1, host 10.10.10.5, auth-port 1812, acct-port 1813
State: current UP, duration 4661s, previous duration 0s
12-08-2019 10:07 PM
IBNS 2.0 can be tricky - I am not an expert but I am cobbling together bits and pieces:
see below - you need to match two separate cases
Port not yet authorized and then AAA dies:
class AAA_SVR_DOWN_UNAUTHD_HOST
Port already authorized and then AAA dies:
class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
see below
policy-map type control subscriber PORT-AUTH-POLICY-I event session-started match-all 10 class always do-until-failure 10 authenticate using mab priority 10 event authentication-failure match-first 10 class MAB_FAILED do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 20 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authentication-restart 60 30 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 clear-authenticated-data-hosts-on-port 20 activate service-template CRITICAL_AUTH_ACCESS 30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 40 authorize 50 pause reauthentication 40 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 50 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 activate service-template CRITICAL_AUTH_ACCESS 30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 40 authorize 50 pause reauthentication 70 class always do-until-failure 10 terminate dot1x 15 terminate mab 20 activate service-template CRITICAL_AUTH_ACCESS 30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 40 authorize 50 pause reauthentication event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 event aaa-available match-all 10 class IN_CRITICAL_AUTH do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
12-09-2019 03:57 PM
Hi
A few things I've come across with critical authentication are:
hth
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: