Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3959
Views
0
Helpful
2
Replies

IBNS 2.0 and Switch Configuration

rmeans
Level 3
Level 3

‎08-16-2017 09:05 AM - edited ‎03-11-2019 12:56 AM

I am building a dot1x configuration for my switches.  I am using the new-style (authentication display config-mode).  I have built the configuration to work correctly for MAB and dot1x authenticates successfully.  I am at the point of creating the configuration to handle the exceptions.  Currently I am focused on if the AAA server is down.

So does any have any sample configurations on how to fail open when the AAA server is down?  Possibly try retry authentication after a period of time.

The current configuration is below.  My (failed) attempts to included proper handling of the AAA being down are included.

class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
class-map type control subscriber match-all SERVER_DOWN
match result-type aaa-timeout
class-map type control subscriber match-all dot1x_FAILED_PASSWORD
match method dot1x
match result-type authoritative

policy-map type control subscriber user_default
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
10 class SERVER_DOWN do-until-failure
10 authorize
20 class MAB_FAILED do-until-failure
10 terminate mab
20 activate service-template null_vlan
30 authentication-restart 60
30 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 activate service-template null_vlan
40 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
event timer-expiry match-all
10 class SERVER_DOWN do-until-failure
10 authorize
event absolute-timeout match-all
10 class SERVER_DOWN do-until-failure
10 authorize

Labels:
0 Helpful
2 Replies 2

Sandeep Ramakrishnan
Cisco Employee
Cisco Employee

‎03-30-2018 08:59 AM - edited ‎03-30-2018 09:05 AM

you can refer to the guide documented here:

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html

 

it has sample configs and descriptions to reauth mab and dot1x automatically if radius is unreachable
0 Helpful

Michael Thornton
Level 1
Level 1
In response to Sandeep Ramakrishnan

‎01-07-2019 01:19 PM

Is there a newer version of the guide for ISE 2.x? I realize most things will be the same, but I'm curious if there are any differences. 

0 Helpful
Customers Also Viewed These Support Documents