11-15-2012 10:20 AM - edited 03-10-2019 07:47 PM
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
We do not know whether we configured switch in proper way or do we need to modify it.
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
server-key 7 12345678
!
ip device tracking
!
epm logging
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
radius-server vsa send accounting
radius-server vsa send authentication
Port Configuration
interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
Please help....
Thanks
11-15-2012 02:50 PM
Was the test client on g0/1 previously authorized on this port prior to shutting down the PSNs? Or did you connect the client after taking the PSNs offline?
11-16-2012 12:38 AM
Client was connected on port gi0/1 but when we shutdown both PSN same time we shut & no shut gi0/1. We tried same exercise means to shut or no shut gi0/1 couple of times but no luck.
My requirement is to fallback user who is connected on gi0/1 to local access vlan if both radius server (PSN) goes down.
I suspect that I m missing some switch commands.
Please any suggestion.
Thanks
Sent from Cisco Technical Support iPhone App
11-16-2012 08:00 AM
Can you post the config for the access-list "ACL-DEFAULT" that is applied on the interface? If you are using this ACL for "Low Impact" mode then that would be the cause of your issue. If that is the case remove the ACL and give it another try.
Thank you for rating!
11-18-2012 01:23 AM
Hi Neno,
Many thanks indeed for your suggestion.
Here is the ACL-DEFAULT
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark PXE/TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
I removed the ACL & tried. It works but what will be the impact, if I do not use ACL-DEFAULT on interface.
Once radius server alive authentication should reinitialize (authentication event server alive action reinitialize) but it is not happening.
Waiting for response.
Thanks
11-18-2012 05:42 PM
Tabish-
The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
For more info you should reference the TrustSec design guide located at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Thank you for rating!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide