02-13-2021 12:25 AM
Hi
Currently both AAA is DOWN, can I said tht all hosts is automatically authorized now (i.e permit ALLOW)?
But i saw some hosts are Unauth. I thought all HOSTS are automatically "Auth" if AAA server is down?
Is there any reason or how to further verify or solve this Unauth?
LOF030#sh auth ses
Gi1/0/41 0010.g577.1117 mab UNKNOWN Unauth
Gi1/0/47 00b7.354c.144c mab UNKNOWN Auth
10 class AI_AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
! IF AAA server unreachable and Host is unauthorized
10 activate service-template AI_CRITICAL_ACL
20 authorize
40 pause reauthentication
! Activate the critical ACL service template and authorize the host to get o
02-13-2021 03:50 AM
Hi @getaway51
please take a look at the result of the following commands:
show authentication sessions interface GigabitEthernet 1/0/41 details
show authentication sessions interface GigabitEthernet 1/0/47 details
Hope this helps !!!
02-13-2021 05:52 AM - edited 02-15-2021 08:47 AM
Hi,
I captured from 2 interfaces in the same switch. One is AZ , the other is UZ. I noticed some difference. Port 41 has 1 Service Template. Port 42 has 2 Service Template with Voice vlan 100. Do you know wht it means? It somehow affected the UZ and AZ status.Many thanks to you again!!
Port 41
Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Port 47
Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 100
sh auth ses int Gi1/0/41 details
Interface: GigabitEthernet1/0/41
IIF-ID: 0x114B9FE0
MAC Address: 0010.1234.1117
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1EBA0D9F2B
Acct Session ID: Unknown
Handle: 0xf500000a
Current Policy: POLICY_1X
Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Method status list:
Method State
dot1x Stopped
mab Authc Failed
#sh auth ses int Gi1/0/47 details
Interface: GigabitEthernet1/0/47
IIF-ID: 0x11586DD7
MAC Address: 00b7.1234.144c
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: AC1EBA0CB4D
Acct Session ID: 0x00000009
Handle: 0x6d00000f
Current Policy: POLICY_1X
Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 100
Method status list:
Method State
dot1x Stopped
mab Authc Failed
02-13-2021 07:31 PM
You use IBN 2.0 which have critical vlan for service template
02-14-2021 05:10 AM
Hi,
May I know how critical vlan affects UZ and AZ?
The one with 2 local policies seems to be Authorized but the one with one local policy was UnAuthorized
May I know why is this happening?
02-14-2021 05:28 AM
Hi @getaway51
remember that if the RADIUS Authentication Server (ISE) is unavailable/down and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the port in the critical-authentication state.
Could you please share your configuration for G1/0/41 & G1/0/47?
Hope this helps !!!
02-14-2021 10:06 AM
Hi,
The difference is the port did not have voice vlan 100. only data vlan. But how is this affected the UZ and AZ? I thought when aaa servers down,ALL host shld be in AZ. Is there anything I missed out here?
G1/0/41
switchport mode access
switchport access vlan 10
G1/0/47
switchport mode access
switchport access vlan 10
switchport voice vlan 100
02-14-2021 06:03 AM
see the single Vs multi mode host,
I think you config first one with single and second with multi.
02-14-2021 10:14 AM
Hi,
Both the interface config with the same source template. Both multi. May I also know if the standard template assume data vlan is 1?
How does the config looks like if data vlan is 300? I mean do i need to config 300 in the service/policy map? Does CRITICAL_AUTH_VLAN needs to be configured with 300? Is tht the reason why Gi1/0/41 -vlan 10 even though applying CRITICAL_AUTH_VLAN but still UZ?
Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide