Solved: how to authorize switch port when ISE is down - Page 2

kareali@cisco.com · ‎07-29-2016

Hello,

i'm trying to implement how to authorize the switch port when ISE nodes are dead

i tried some commands but i see that only one endpoint can work ip phone or pc ?

authentication event server dead action authorize vlan x

authentication event server alive action authorize voice

authentication host-mode multi-domain

so is there a way to authorize both endpoints when ISE is dead ? can i use service policy for example ?

kareali@cisco.com · ‎04-09-2018

global configuration

-----------------------

aaa new-model

username ISERADIUSTEST password ISEtest123

radius server Abb-ISE

address ipv4 x.x.x.x auth-port 1645 acct-port 1646

automate-tester username ISERADIUSTEST idle-time 15

key CSO@citc!

exit

radius server Oct-ISE

address ipv4 y.y.y.y auth-port 1645 acct-port 1646

automate-tester username ISERADIUSTEST idle-time 15

key CSO@citc!

exit

aaa group server radius ISE

server name Abb-ISE

server name Oct-ISE

deadtime 10

exit

aaa server radius dynamic-author

client x.x.x.x server-key CSO@citc!

client y.y.y.y server-key CSO@citc!

exit

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa accounting network default start-stop group ISE

aaa accounting delay-start all

aaa accounting update newinfo periodic 60

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send authentication

radius-server vsa send accounting

ip radius source-interface vlanxx

ip dhcp snooping

ip device tracking

epm logging

logging origin-id ip

logging source-interface Vlanxx

logging host 10.10.81.81 transport udp port 20514

logging host 20.10.81.81 transport udp port 20514

dot1x system-auth-control

dot1x critical eapol

ip http server

ip http secure-server

ip access-list extended redirection

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any any eq 8905

permit ip any host 1.1.1.1

deny ip any any

exit

mac address-table notification change

mac address-table notification mac-move

snmp-server trap-source vlanxx

snmp-server community CSO@citc! RO

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps errdisable

snmp-server enable traps vlan-membership

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server host 10.10.81.40 version 2c CSO@citc! mac-notification snmp

snmp-server host 20.10.81.40 version 2c CSO@citc! mac-notification snmp

---------------------------------------------------------------------------------------------------------------

interface GigabitEthernet w/x/y-z

switchport access vlan X

switchport voice vlan y

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan X

authentication event server dead action authorize voice

dot1x pae authenticator

dot1x port-control auto

authentication order dot1x mab

authentication priority dot1x mab

mab

dot1x timeout tx-period 10

authentication periodic

authentication timer reauthenticate server

authentication host-mode multi-domain

snmp trap mac-notification change added

spanning-tree portfast

exit

mohdg · ‎07-30-2018

Does this configuration allows both vlans ie data and voice? because i have same scenario but IP phone connects to the switch and PC connects to an IP phone.

vibobrov · ‎07-30-2016

The correct command is authentication event server dead action authorize voice