Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1710
Views
10
Helpful
8
Replies

IF AAA server unreachable and Host is unauthorized, will Host status become authorized automatically?

getaway51
Level 2
Level 2

‎02-13-2021 12:25 AM

Hi

Currently both AAA is DOWN, can I said tht all hosts is automatically authorized now (i.e permit ALLOW)?

But i saw some hosts are Unauth. I thought all HOSTS are automatically "Auth" if AAA server is down?

Is there any reason or how to further verify or solve this Unauth?

 

LOF030#sh auth ses

Gi1/0/41 0010.g577.1117 mab UNKNOWN Unauth 
Gi1/0/47 00b7.354c.144c mab UNKNOWN Auth 

 

10 class AI_AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
! IF AAA server unreachable and Host is unauthorized
10 activate service-template AI_CRITICAL_ACL
20 authorize
40 pause reauthentication
! Activate the critical ACL service template and authorize the host to get o

8 Replies 8

Marcelo Morais
VIP
VIP

‎02-13-2021 03:50 AM

Hi @getaway51 

 please take a look at the result of the following commands:

show authentication sessions interface GigabitEthernet 1/0/41 details
show authentication sessions interface GigabitEthernet 1/0/47 details

Hope this helps !!!

0 Helpful

getaway51
Level 2
Level 2
In response to Marcelo Morais

‎02-13-2021 05:52 AM - edited ‎02-15-2021 08:47 AM

Hi,

 

I captured from 2 interfaces in the same switch. One is AZ , the other is UZ. I noticed some difference. Port 41 has 1 Service Template. Port 42 has 2 Service Template with Voice vlan 100. Do you know wht it means? It somehow affected the UZ and AZ status.Many thanks to you again!!

 

Port 41

Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)


Port 47

Local Policies:

Service Template: CRITICAL_AUTH_VLAN (priority 150)
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 100

 

sh auth ses int Gi1/0/41 details
Interface: GigabitEthernet1/0/41
IIF-ID: 0x114B9FE0
MAC Address: 0010.1234.1117
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1EBA0D9F2B
Acct Session ID: Unknown
Handle: 0xf500000a
Current Policy: POLICY_1X


Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)


Method status list:
Method State
dot1x Stopped
mab Authc Failed

 

#sh auth ses int Gi1/0/47 details
Interface: GigabitEthernet1/0/47
IIF-ID: 0x11586DD7
MAC Address: 00b7.1234.144c
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: AC1EBA0CB4D
Acct Session ID: 0x00000009
Handle: 0x6d00000f
Current Policy: POLICY_1X


Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 100


Method status list:
Method State
dot1x Stopped
mab Authc Failed

0 Helpful

MHM Cisco World
VIP
VIP
In response to getaway51

‎02-13-2021 07:31 PM

You use IBN 2.0 which have critical vlan for service template

getaway51
Level 2
Level 2
In response to MHM Cisco World

‎02-14-2021 05:10 AM

Hi,

 

May I know how critical vlan affects UZ and AZ?

The one with 2 local policies seems to be Authorized but the one with one local policy was UnAuthorized

May I know why is this happening?

 

0 Helpful

Marcelo Morais
VIP
VIP
In response to getaway51

‎02-14-2021 05:28 AM

Hi @getaway51 

 remember that if the RADIUS Authentication Server (ISE) is unavailable/down and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the port in the critical-authentication state.

 Could you please share your configuration for G1/0/41 & G1/0/47?

 

Hope this helps !!!

0 Helpful

getaway51
Level 2
Level 2
In response to Marcelo Morais

‎02-14-2021 10:06 AM

Hi,

The difference is the port did not have voice vlan 100. only data vlan. But how is this affected the UZ and AZ? I thought when aaa servers down,ALL host shld be in AZ. Is there anything I missed out here? 

 

G1/0/41

switchport mode access

switchport access vlan 10

 

 

G1/0/47

switchport mode access

switchport access vlan 10

switchport voice vlan 100

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to getaway51

‎02-14-2021 06:03 AM

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-x-series-switches/207193-Configure-IBNS-2-0-for-Single-Host-and-M.html

 

see the single Vs multi mode host, 
I think you config first one with single and second with multi.

0 Helpful

getaway51
Level 2
Level 2
In response to MHM Cisco World

‎02-14-2021 10:14 AM

Hi,

 

Both the interface config with the same source template. Both multi. May I also know if the standard template assume data vlan is 1?  

How does the config looks like if data vlan is 300? I mean do i need to config 300 in the service/policy map? Does CRITICAL_AUTH_VLAN needs to be configured with 300? Is tht the reason why Gi1/0/41 -vlan 10 even though applying CRITICAL_AUTH_VLAN but still UZ? 

Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents