Fallback to local vlan if radius server dead

christianschaub5 · ‎06-24-2014

Hi

I'm currently trying to setup a dot1x lab environment with a CS ACS 5.4. Now I have the following problem: I'd like to use the command "authentication event server dead action reinitialize vlan 180" if the radius server is dead. On my switch interface I'm using a default ACL for restricting the network access before authorization.

After Authorization the switch uses the donwloadable ACL from the CS ACS. But now if the ACS is not available, there is no ACL to download and the default ACL will block the traffic on the port. Is there any way to solve this issue?

Here my configuraitons.

Port:

interface GigabitEthernet1/0/2
description ACCESS
switchport access vlan 180
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 30.00
spanning-tree portfast
spanning-tree bpduguard enable

ACL:

Extended IP access list ACL_DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit ip any host 10.10.10.10
60 deny ip any any

nspasov · ‎06-24-2014

If you are using 3k/4k/6k family switch you can accomplish this via an eem script. Here is a good example from Cisco Live:

event manager applet default-acl-fallback
 event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended ACL-DEFAULT"
 action 3.0 cli command "1 permit ip any any"
 action 4.0 cli command "end"
!
event manager applet default-acl-recovery event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended ACL-DEFAULT"
 action 3.0 cli command "no 1 permit ip any any"
 action 4.0 cli command "end"

Btw, why do you need the pre-auth ACL? If you are running in "closed" mode not traffic outside of EAPoL is allowed on the port until successful authentication.

Thank you for rating helpful posts!

christianschaub5 · ‎06-25-2014

Hi

I'm configuring this on a catalyst 2960S, so I think I can't use this eem script. I need this ACL that the MAC Authentication Bypass triffic can be sent to the CS ACS. If I wouldn't configure this ACL, I think the client e.g. a printer won't be able to communicate with the CS ACS when using MAB. Is that correct or did I make a mistake?

Any other hint?

nspasov · ‎06-25-2014

The command authentication event fail action next-method would allow MAB through after 802.1x times out. Printers and other similar devices that don't support 802.1x will not respond to the EAPoL request and will timeout after the 3 times the configured 802.1x timeout timer runs out. In your situation that would be 30 seconds (3x10). In order to make sure that devices don't timeout on DHCP you can lower the timer to 7 seconds. So you should be good to go without the ACL. Give it a try :)

Thank you for rating helpful posts!