cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1524
Views
0
Helpful
5
Replies

Dot1x inaccessible authentication bypass problem with 4510R-E Sup 6-E 12.2(54)SG

vciric
Level 1
Level 1

We have a problem with Catalyst 4510R-E, Sup 6-E, IOS 12.2(54)SG (same issue repeats with IOS 12.2(53) SG3 as well) do1x authentication when RADIS server is inaccessible. Switch port simple doesn’t go into critical (server dead) vlan, but stays in access vlan 40.

Same configuration with 3750 switch and IOS 12.2(55)SE works.

Below is the configuration of the switch:

aaa group server radius dot1x

server-private 10.200.1.27 key 7 1

server-private 10.200.1.26 key 7 1

ip vrf forwarding data

ip radius source-interface Vlan100

!

aaa authentication dot1x default group dot1x

aaa authorization network default none

interface GigabitEthernet1/48

description TEST DOT1X

switchport access vlan 40

switchport mode access

authentication event server dead action authorize vlan 240

authentication event server alive action reinitialize

authentication port-control auto

dot1x pae authenticator

dot1x timeout server-timeout 10

dot1x timeout tx-period 10

dot1x timeout start-period 20

spanning-tree portfast

interface Vlan40

ip vrf forwarding data

ip address 10.10.10.1 255.255.255.0

ip radius source-interface Vlan100 vrf data

radius-server dead-criteria time 3 tries 2

radius-server host 10.200.1.27 auth-port 1645 acct-port 1646 test username admin idle-time 1

radius-server host 10.200.1.26 auth-port 1645 acct-port 1646 test username admin idle-time 1

radius-server deadtime 3

dot1x system-auth-control

dot1x critical eapol

Does anyone have an idea what we could do to resolve this?

5 Replies 5

jedubois
Cisco Employee
Cisco Employee

Hello,

     How are you testing this?  Once the radius server goes down are you attempting another authentication?  Existing ports will not be moved to 240 but if another authentication is kicked off and the RADIUS servers are down then VLAN 240 will be applied.  Here is the description of what this feature does when the RADIUS server goes down:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1502275

--Jesse

Hi,

Both RADIUS server are connected to the location with Catalyst 4510 switch through WAN link. We test RADIUS server inaccessability by shuting down WAN connection. Still dot1x port doesn't go into auth-failed (server dead) VLAN. This switch port appears unauthenticated in VLAN 40.

Regards,

Vesna

narvenka
Cisco Employee
Cisco Employee

To verify the auth-fail vlan, the AAA server should be alive and it should reject the user.May be wrong username or password can be sent.

The way you are testing is for critical-vlan means the AAA server is not reachable/responding. Hope this clarifies.

Hi,

Sorry, I wrote wrong description of the problem. The problem is when RADIUS servers are inaccessible dot1x port doesn't enter critical vlan. It stays unauthentificated in vlan 40.

Dear Vciric

The critical vlan is applied when the radius servers are down and you are trying with a new authentication i.e. if the user was already authorized he will not be requested to authenticate again till the 802.1x timed out on the switch port.

So, if you want to test the critical vlan

  1. create vlan 240
  2. Down the radius servers.
  3. Shut the switchport
  4. No shut the switchport

Hope this answer help you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: