inaccessible authentication bypass on wireless

vinodjad1234 · ‎04-16-2015

Hi Experts ,

We are deploying 802.1x authentication for wired as well as for wireless , I can across one of the terminology where even if radius server is down , clients can get access to network .

I am not sure how it worked by configuring two commands :

authentication event server dead action authorize vlan X

authentication event server alive action reinitialize

statement says that "Use inaccessible authentication bypass to assign the critical port to VLAN "

what is mean by critical port ? and how it works , do we need to configure anything on ISE server ?

is it possible to configure the same for wireless set-up as well ? if yes, what is the configuration we need on wireless lan controllers ?

one more concern about "failed access handling "

if client identity is not valid or credentials are expired what is the recommended option to be configured on ISE for those clients ?

can anybody please share the document which talks about failed access handling in practical set-up.

Venkatesh Attuluri · ‎04-17-2015

authentication event server dead action authorize vlan X

authentication event server alive action reinitialize

this commands help you to in case if radius server is down then the client connected to this port where this command is given are put in to vlan X (make sure that this vlan is restricted).

And you have following options for client identity not found

If endpoint do not meat any policy's defined then we have a default policy thats applied

vinodjad1234 · ‎04-18-2015

Thanks Venkatesh ,

you mean, we need one new vlan which will have restricted access ...

how do i configure restricted vlan in my LAN , do i need to create access-list and apply to respective SVI ?

what if I reject the users in case of server failure or have very basic configuration where I do not have any rules configured as inaccessible bypass policy ? what would be impact on network ?