Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
1
Replies

Network Supplicant - Verify Servers Identity

BlackDiamond71
Level 1
Level 1

‎05-06-2025 01:58 PM

I am using Cisco ISE and have Radius DTLS configured on my cisco switch using the IBNS 2.0 template. I have a GPO set to push out the Supplicant and have the following EAP settings "Verify the server's identity by validating the certificate". I have two servers listed, but I'm thinking in worst case scenario what happens if both servers are down? All ports beside the trunk port is set to closed. If the servers are down the pc won't be able to verify the servers certificate and not connect? I tested this and with this "Verify the server's identity by validating the certificate" set the machines don't have network access, but if I uncheck "Verify the server's identity by validating the certificate". the machines can connect due to my fail open policy. What would be best practice? Is there a setting that would help?

 

! Closed mode
default interface range GigabitEthernet1/0/1 - 47
interface range GigabitEthernet1/0/1 - 47
source template Port-Dot1x-Closed
! Apply device tracking policy to port if not assigned to VLAN
device-tracking attach-policy IP-Tracking
! Apply dot1x timeout settings if they couldn't be applied to template
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast

 

! Closed mode port template
template Port-Dot1x-Closed
description ** Port for Endpoints **
switchport mode access
switchport access vlan 10
! Disable dynamic trunking protocol on access port
switchport nonegotiate
switchport voice vlan 20
authentication periodic
authentication timer reauthenticate server
! The inactivity timer command below is IOS version dependent
! authentication timer inactivity server dynamic
mab
access-session host-mode multi-domain
access-session control-direction in
access-session closed
dot1x pae authenticator
! The following 2 dot1x commands may need to be applied to the port
dot1x timeout tx-period 7
dot1x max-reauth-req 3
access-session port-control auto
spanning-tree portfast edge
ip dhcp snooping limit rate 10
! Only use ONE subscriber aging setting
! subscriber aging inactivity-timer 60 probe
subscriber aging probe
service-policy type control subscriber Dot1x-Default

Preview file
9 KB
0 Helpful
1 Reply 1

andrewswanson
Level 7
Level 7

‎05-06-2025 02:35 PM

Hi
In the scenario where both your RADIUS servers are unavailable, you can configure "dot1x critical eapol" globally - the switch should respond with an "EAP-success" to 802.1x clients when your RADIUS servers are unavailable.
hth
Andy

0 Helpful
Customers Also Viewed These Support Documents