Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
3
Replies

802.1x authentication behaviour ?

Go to solution
tedauction
Level 1
Level 1

‎11-05-2020 12:43 PM

Hello, we have 802.1x configured on numerous 2960 switches. We have a primary and secondary RADIUS server configured. My question is, what happens if:

i) the primary RADIUS server is reachable but the shared secret fails i.e. will it fail over to authenticating against the secondary RADIUS server ?

ii) both primary and secondary RADIUS servers are reachable but the shared secrets fail.

iii) neither primary or secondary RADIUS is reachable. Thank you kindly.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎11-11-2020 05:21 AM

Hello,

 

I tested this with two RADIUS servers:

 

i) the primary RADIUS server is reachable but the shared secret fails i.e. will it fail over to authenticating against the secondary RADIUS server ?

--> the secondary RADIUS server will automatically be contacted, and authenticate

 

ii) both primary and secondary RADIUS servers are reachable but the shared secrets fail.

--> both primary and secondary RADIUS server will be contacted in order, and both fail to authenticate

 

iii) neither primary or secondary RADIUS is reachable. Thank you kindly.

--> no authentication will happen, if local authentication is configured, it will fail over to that

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kubn2
Level 1
Level 1

‎11-05-2020 02:40 PM

Hi,

Without checking (so you can't be 100% sure)

i) not sure

ii) and iii) if you doesn't have fallback like mac-based authentication then clients won't be able to authenticate

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-05-2020 03:59 PM

To form a relation between ISE  and End device like your case Switch -  basic requirement is shared secret. If that fails you no longer able to get further for the user to get 802.1X  authentication.

 

until you have configured fail-open ( that is the reason identity design is very important and required to have high availability and reachability in the network) to achieve strict authentication.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎11-11-2020 05:21 AM

Hello,

 

I tested this with two RADIUS servers:

 

i) the primary RADIUS server is reachable but the shared secret fails i.e. will it fail over to authenticating against the secondary RADIUS server ?

--> the secondary RADIUS server will automatically be contacted, and authenticate

 

ii) both primary and secondary RADIUS servers are reachable but the shared secrets fail.

--> both primary and secondary RADIUS server will be contacted in order, and both fail to authenticate

 

iii) neither primary or secondary RADIUS is reachable. Thank you kindly.

--> no authentication will happen, if local authentication is configured, it will fail over to that

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card