Solved: IBNS 2.0 Err-Disable port if auth fails

GilR · ‎09-16-2025

I am trying to make it so if someone plugs something into the switch, it checks dot1x, then checks MAB if that fails, and then if both fail, I want the port to go to err-disabled state. The cisco IBNS 2.0 documentation only has examples that make it so the device gets to keep trying and trying even though it fails. I don't want it to keep trying, I want the port to err-disable. Does anyone have a example config? This is what I have:

DOT1X_MAB_POLICY
  event session-started match-all
    10 class always do-until-failure
     10 authenticate using dot1x priority 10 
  event authentication-failure match-first
    5 class DOT1X_FAILED do-until-failure
     10 terminate dot1x 
     20 authenticate using mab priority 20 
    30 class DOT1X_NO_RESP do-until-failure
     10 terminate dot1x 
     20 authenticate using mab priority 20 
    40 class DOT1X_TIMEOUT do-until-failure
     10 terminate dot1x 
     20 authenticate using mab priority 20 
    50 class MAB_FAILED do-until-failure
     10 terminate mab 
     20 unauthorize 
  event agent-found match-all
    10 class always do-until-failure
     10 terminate mab 
     20 authenticate using dot1x priority 10 
  event aaa-available match-all
  event inactivity-timeout match-all
    10 class always do-until-failure
     10 clear-session 
  event authentication-success match-all
    10 class always do-until-failure
     10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE 
  event violation match-all
    10 class always do-until-failure
     10 err-disable 
  event authorization-failure match-all
    10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
     10 authentication-restart 60

Arne Bier · ‎09-17-2025

@GilR - the IOS Session Manager is a state machine - and the IBNS 2.0 config you have is probably as good as it's going to get. The authorization is partly derived from the RADIUS server (authentication-success) and partly from the switch itself (e.g. agent found or DOT1X no response). Either way, the session manager does not consider any of the end states as errors, that could trigger the err-disable function. If you want to stop the authentication cycle (like you mentioned, users failing 100 times etc., then you need to stop the state machine on the switch, which in turn will stop any further attempts from communicating with the RADIUS server). I have not used the "unauthorize" action in my policy-sets. But if that doesn't bring joy, then sending back an access-accept + dACL (ip deny all) + Dynamic VLAN assignment (for a dummy VLAN ID) is a sure way to stop the state machine and prevent the endpoint from getting no access. As we can see below, the part in the Policy-Map after MAB failure - these are the possible actions the switch could take. I would think unauthorize is the best choice:

SW1(config-action-control-policymap)#20 ?
  activate                                activate template or policy 
  authenticate                            authenticate a session
  authentication-restart                  restarts the auth sequence after the specified number of sec
  authorize                               authorize session
  clear-authenticated-data-hosts-on-port  clears authenticated data hosts on the port
  clear-session                           clears an active session
  deactivate                              deactivate template or policy 
  notify                                  notifies the session attributes
  pause                                   pause operation to be specified
  set-domain                              set domain
  set-timer                               set abs timer to pop N seconds from now
  terminate                               terminate auth method
  unauthorize                             unauthorize session

If we could include a shutdown command in an interface template, the you could have activate that - that would be nice

SW1(config-action-control-policymap)#20 activate interface-template SHUT-PORT

You can't do that in an interface template. But you can execute a shell function (not sure if this is the Guest shell or what this is exactly) - That's what I meant by sneaky - sometimes there is a way around this with other clever tricks.

View solution in original post

MHM Cisco World · ‎09-16-2025

Err disable happened for violation not for failed authc, that what I know but let me check

MHM

Arne Bier · ‎09-16-2025

Maybe there is a sneaky way around it, but the config in IOS-XE 17.12 is as follows:

(config)#errdisable detect cause ?
  all                  Enable error detection on all cases
  arp-inspection       Enable error detection for arp inspection
  bpduguard            Enable error detection on bpdu-guard
  dhcp-rate-limit      Enable error detection on dhcp-rate-limit
  dtp-flap             Enable error detection on dtp-flapping
  gbic-invalid         Enable error detection on gbic-invalid
  inline-power         Enable error detection for inline-power
  l2ptguard            Enable error detection on l2protocol-tunnel
  link-flap            Enable error detection on linkstate-flapping
  loopback             Enable error detection on loopback
  loopdetect           Enable error detection on loopdetect
  pagp-flap            Enable error detection on pagp-flapping
  pppoe-ia-rate-limit  Enable error detection on PPPoE IA rate-limit
  psp                  Enable error detection on PSP
  security-violation   Enable error detection on 802.1x-guard
  sfp-config-mismatch  Enable error detection on SFP config mismatch
  udld                 Enable error detection on udld

GilR · ‎09-17-2025

I didn't know there was a global way to do this, but it does not seem to work for IBNS 2.0

GilR · ‎09-17-2025

There is no option under fail auth for err disable.

MHM Cisco World · ‎09-17-2025

Sorry but as I mention before there is no err-disable for failed authc.

For failed authc you can put endpoint into specific vlan which dont allow endpoint to access network.

To make Admin get log you can use EEM' this make admin get log such as violation event.

MHM

Aref Alsouqi · ‎09-17-2025

As the others mentioned I don't believe what you are looking for is supported. The security violation event happens if for instance you set the port to do dot1x single-host and multiple MAC addresses are connected on that port. In that case a violation would happen and you can set the action to err-disable the port. May I ask why would you want to err-disable the port if authentication is failing? the whole point of deploying dot1x is to allow accesses to your network only if authentication has passed and if the session is authorized to your network.

GilR · ‎09-17-2025

It is a high security environment. We don't want people to be able to keep trying because if it didn't work the first time, its not going to work the next 100 times. We would rather it err-disable.

Arne Bier · ‎09-17-2025

@GilR - the IOS Session Manager is a state machine - and the IBNS 2.0 config you have is probably as good as it's going to get. The authorization is partly derived from the RADIUS server (authentication-success) and partly from the switch itself (e.g. agent found or DOT1X no response). Either way, the session manager does not consider any of the end states as errors, that could trigger the err-disable function. If you want to stop the authentication cycle (like you mentioned, users failing 100 times etc., then you need to stop the state machine on the switch, which in turn will stop any further attempts from communicating with the RADIUS server). I have not used the "unauthorize" action in my policy-sets. But if that doesn't bring joy, then sending back an access-accept + dACL (ip deny all) + Dynamic VLAN assignment (for a dummy VLAN ID) is a sure way to stop the state machine and prevent the endpoint from getting no access. As we can see below, the part in the Policy-Map after MAB failure - these are the possible actions the switch could take. I would think unauthorize is the best choice:

SW1(config-action-control-policymap)#20 ?
  activate                                activate template or policy 
  authenticate                            authenticate a session
  authentication-restart                  restarts the auth sequence after the specified number of sec
  authorize                               authorize session
  clear-authenticated-data-hosts-on-port  clears authenticated data hosts on the port
  clear-session                           clears an active session
  deactivate                              deactivate template or policy 
  notify                                  notifies the session attributes
  pause                                   pause operation to be specified
  set-domain                              set domain
  set-timer                               set abs timer to pop N seconds from now
  terminate                               terminate auth method
  unauthorize                             unauthorize session

If we could include a shutdown command in an interface template, the you could have activate that - that would be nice

SW1(config-action-control-policymap)#20 activate interface-template SHUT-PORT

You can't do that in an interface template. But you can execute a shell function (not sure if this is the Guest shell or what this is exactly) - That's what I meant by sneaky - sometimes there is a way around this with other clever tricks.

MHM Cisco World · ‎09-17-2025

Very nice reply

Totally right.

Big like

MHM

GilR · ‎09-17-2025

I see what you are getting at. I will look for a way around it.