Solved: Re: UNKNOWN Domain radius server dead

x00008037 · ‎12-01-2019

Currently have an issue when our edge switch reboots the authentication sessions on the switch come back with "UNKNOWN" domain.

The AAA server is marked as "alive" but these auth session stay in an "UNKNOWN" Domain and failed Authentication .

Shouldn't these port "reinitialize" when the AAA server become reachable again?

howon · ‎12-05-2019

Try the following:

authentication event server dead action reinitialize {ACCESS_VLAN}

authentication event server dead action authorize voice

https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--651964017

View solution in original post

howon · ‎12-05-2019

It may be possible that since this is due to switch reload rather than AAA down scenario, the reinitialization is not being triggered. It has been a while, but I recall suggesting to recycle the interface (shut/no shut) after such incident to get the authentication working, which can be scripted via management tool.

x00008037 · ‎12-05-2019

Hi,

thanks for the reply, but even when the radius server is marked down the session on the switch ports fail into an authorized state with DOMAIN UNKNOWN. When the server becomes reachable again the Domain stays in UNKNOWN state,

Is there a mechanism to re-initilise the ports without a shut no shut? I would of though the switch port config "alive action re-initilize" as enough?

.

howon · ‎12-05-2019

Try the following:

authentication event server dead action reinitialize {ACCESS_VLAN}

authentication event server dead action authorize voice

https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--651964017

x00008037 · ‎02-05-2020

Still an issue,

Ports are being marked in an UNKNOWN state when the radius server is marked DEAD. Then when radius server comes back online the DOMAIN remains in UNKNOWN state