Hi,

I captured from 2 interfaces in the same switch. One is AZ , the other is UZ. I noticed some difference. Port 41 has 1 Service Template. Port 42 has 2 Service Template with Voice vlan 100. Do you know wht it means? It somehow affected the UZ and AZ status.Many thanks to you again!!

Port 41

Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)

Port 47

Local Policies:

Service Template: CRITICAL_AUTH_VLAN (priority 150)
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 100

sh auth ses int Gi1/0/41 details
Interface: GigabitEthernet1/0/41
IIF-ID: 0x114B9FE0
MAC Address: 0010.1234.1117
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1EBA0D9F2B
Acct Session ID: Unknown
Handle: 0xf500000a
Current Policy: POLICY_1X

Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)

Method status list:
Method State
dot1x Stopped
mab Authc Failed

#sh auth ses int Gi1/0/47 details
Interface: GigabitEthernet1/0/47
IIF-ID: 0x11586DD7
MAC Address: 00b7.1234.144c
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: AC1EBA0CB4D
Acct Session ID: 0x00000009
Handle: 0x6d00000f
Current Policy: POLICY_1X

Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 100

Method status list:
Method State
dot1x Stopped
mab Authc Failed

You use IBN 2.0 which have critical vlan for service template

Hi,

May I know how critical vlan affects UZ and AZ?

The one with 2 local policies seems to be Authorized but the one with one local policy was UnAuthorized

May I know why is this happening?

Hi @getaway51 

 remember that if the RADIUS Authentication Server (ISE) is unavailable/down and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the port in the critical-authentication state.

 Could you please share your configuration for G1/0/41 & G1/0/47?

Hope this helps !!!

Hi,

The difference is the port did not have voice vlan 100. only data vlan. But how is this affected the UZ and AZ? I thought when aaa servers down,ALL host shld be in AZ. Is there anything I missed out here? 

G1/0/41

switchport mode access

switchport access vlan 10

G1/0/47

switchport mode access

switchport access vlan 10

switchport voice vlan 100

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-x-series-switches/207193-Configure-IBNS-2-0-for-Single-Host-and-M.html

see the single Vs multi mode host, 
I think you config first one with single and second with multi.

Hi,

Both the interface config with the same source template. Both multi. May I also know if the standard template assume data vlan is 1?  

How does the config looks like if data vlan is 300? I mean do i need to config 300 in the service/policy map? Does CRITICAL_AUTH_VLAN needs to be configured with 300? Is tht the reason why Gi1/0/41 -vlan 10 even though applying CRITICAL_AUTH_VLAN but still UZ? 

Local Policies:
Service Template: CRITICAL_AUTH_VLAN (priority 150)