Hello,

  thanks a lot for the document but the PC is always stucked in dot1x authentication it is always running so PC never gets the critical vlan but ip phone worked perfectly . when i removed anyconnect from the PC it gets the critical vlan

so i guess the problem in timeouts maybe or something else and here is the switch command

interface GigabitEthernet1/0/15

switchport access vlan 15

switchport mode access

switchport voice vlan 248

authentication event fail action next-method

authentication event server dead action authorize vlan 15

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

end

Are you seeing this issue with new authentications? If a DOT1X client already authorized, I do not think it would get put into critical VLAN. Also, it might depend on the AnyConnect NAM profile to allow DOT1X auth failures.

Hello,

   yes i'm talking about new clients trying to connect when radius is dead and your suggestion is already enabled !!

the problem is that dot1x is keeping running it never fails in the switch !!

not working i should allow data before authentication from anyconnect and this is not acceptable

Have you tried it with Windows native supplicant? I would expect the same result as your AnyConnect NAM tests.

Please detail which switch model and Cisco IOS release on the switch. As I mentioned before, this is a switch feature, it's best to seek support from the switch platform teams.

Hi Kareem,

Is there any luck on the issue. We do have the same issue with the PC's installed with Anyconnect. It is stuck in  authentication. PC's without anyconnect works fine and getting the critical auth VLAN but no luck for anyconnect installed machines.

Tried the option Enable the port exception mentioned above but same result

Hello Deepu,

   i'm using the below switch template and it's working with anyconnect and without anyconnect

dot1x system-auth-control

dot1x critical eapol

interface GigabitEthernet w/x/y-z

switchport access vlan X

switchport voice vlan y

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan X

authentication event server dead action authorize voice

dot1x pae authenticator

dot1x port-control auto

authentication order dot1x mab

authentication priority dot1x mab

mab

dot1x timeout tx-period 10

authentication periodic

authentication timer reauthenticate server

authentication host-mode multi-domain

snmp trap mac-notification change added

spanning-tree portfast

exit

anyconnect configuration was allow data before authentication

i faced a disaster with a customer last month when all ISE nodes was down and AD was down but nobody complains because the critical VLAN applied to all interfaces.

Hi Karem,

Thank you for your quick reply. Much appreciated. I am using the same template on switches. But still the same problem. Could you please help how do you configure "anyconnect configuration was allow data before authentication" ?. Do you have the configuration.xml sample so that i can check the setting. My email ID is deepu.vargheset@gmail.com. Please send if possible.

Thanks,

Deepu

It seems like you are talking about anyconnect NAM to allow network access when dot1x fails? This has nothing to do with ISE or the switch

Please reference the anyconnect document

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html#ID-1424-00000172

If more questions on anyconnect nam please move this to the anyconnect forum

Kareem Ali wrote: Hello Deepu,    i'm using the below switch template and it's working with anyconnect and without anyconnect dot1x system-auth-control dot1x critical eapol interface GigabitEthernet w/x/y-z switchport access vlan X switchport voice vlan y switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan X authentication event server dead action authorize voice dot1x pae authenticator dot1x port-control auto authentication order dot1x mab authentication priority dot1x mab mab dot1x timeout tx-period 10 authentication periodic authentication timer reauthenticate server authentication host-mode multi-domain snmp trap mac-notification change added spanning-tree portfast exit anyconnect configuration was allow data before authentication i faced a disaster with a customer last month when all ISE nodes was down and AD was down but nobody complains because the critical VLAN applied to all interfaces.

Hello Kareem,

We have tried the option "data before authentication" in anyconnect configuration but the issue remains the same. Anyconnect is showing authenticating and on switch side dot1x is running and never fall back. We stopped the services of anyconnect and everything working fine as expected. So i believe we need some tweaking in anyconnect profile. Any idea ?. As below mentioned by Jason, do we need to post put discussion on anyconnect group ?

Are you using "authentication open" command on switch ports ?.

Hi,

I didn’t configure any special configuration for Anyconnect I just configured allow data before authentication and the remaining settings is the default settings .

From switch side the switch has to mark the ISE as dead in order to apply critical vlan . so do you see ISE dead ?

From switch configuration I do radius test every 5 minutes I believe this is important . here is the whole template I use in the switch

global configuration

Thanks Kareem for your reply. Could you please provide the global configuration for a reference.

Thanks

Deepu