07-15-2021 07:33 AM - edited 07-15-2021 07:35 AM
We use MAB for our port security with our switches pointed to ISE for the MAC database check.
What is happening is that when we have:
"authentication host-mode multi-auth" on the switchport and we unplug the uplink to simulate an ISE outage or WAN link failure, the critical Auth policy never kicks in. If we unplug the ports the devices just keep trying to authenticate every 60 seconds even though the radius server is marked as dead.
If I change authentication host-mode from Multi-Auth to Multi-domain it works with the devices failing open by being put into the critical vlan and authorizing the port. We need to use Multi-Auth for our staff that has multiple devices as multi-domain only lets 1 voice and 1 data mac on.
*Mar 1 16:36:44.389: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface Fa0/2 AuditSessionID 0A646464000000B9038A1083
*Mar 1 16:37:44.267: %MAB-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B7038A0A8D
*Mar 1 16:37:44.267: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B7038A0A8D
*Mar 1 16:37:44.267: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B7038A0A8D
*Mar 1 16:37:44.267: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B8038A0A95
Port configuration:
interface FastEthernet0/1
switchport mode access
switchport voice vlan 20
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation protect
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
Does anyone know why multi-auth is not working with the critical auth vlan and only multi-domain will?
Solved! Go to Solution.
07-15-2021 03:10 PM - edited 07-15-2021 03:11 PM
Hi,
It's because multi-auth doesn't use the option authorize but reinitialize for dead server action.
This is critical auth for multi-domain:
switchport mode access
switchport access vlan <X>
authentication host-mode multi-domain
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
No need to specify the VLAN. It is the access port VLAN.
This is critical auth for multi-auth:
switchport access vlan <X>
switchport mode access
authentication host-mode multi-auth
authentication event server dead action reinitialize vlan <X>
authentication event server dead action authorize voice
authentication event server alive action reinitialize
BR,
Octavian
07-15-2021 03:10 PM - edited 07-15-2021 03:11 PM
Hi,
It's because multi-auth doesn't use the option authorize but reinitialize for dead server action.
This is critical auth for multi-domain:
switchport mode access
switchport access vlan <X>
authentication host-mode multi-domain
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
No need to specify the VLAN. It is the access port VLAN.
This is critical auth for multi-auth:
switchport access vlan <X>
switchport mode access
authentication host-mode multi-auth
authentication event server dead action reinitialize vlan <X>
authentication event server dead action authorize voice
authentication event server alive action reinitialize
BR,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide