We have a problem with Catalyst 4510R-E, Sup 6-E, IOS 12.2(54)SG (same issue repeats with IOS 12.2(53) SG3 as well) do1x authentication when RADIS server is inaccessible. Switch port simple doesn’t go into critical (server dead) vlan, but stays in access vlan 40.
Same configuration with 3750 switch and IOS 12.2(55)SE works.
Below is the configuration of the switch:
aaa group server radius dot1x
server-private 10.200.1.27 key 7 1
server-private 10.200.1.26 key 7 1
ip vrf forwarding data
ip radius source-interface Vlan100
aaa authentication dot1x default group dot1x
aaa authorization network default none
description TEST DOT1X
switchport access vlan 40
switchport mode access
authentication event server dead action authorize vlan 240
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10
dot1x timeout start-period 20
ip vrf forwarding data
ip address 10.10.10.1 255.255.255.0
ip radius source-interface Vlan100 vrf data
radius-server dead-criteria time 3 tries 2
radius-server host 10.200.1.27 auth-port 1645 acct-port 1646 test username admin idle-time 1
radius-server host 10.200.1.26 auth-port 1645 acct-port 1646 test username admin idle-time 1
radius-server deadtime 3
dot1x critical eapol
Does anyone have an idea what we could do to resolve this?
How are you testing this? Once the radius server goes down are you attempting another authentication? Existing ports will not be moved to 240 but if another authentication is kicked off and the RADIUS servers are down then VLAN 240 will be applied. Here is the description of what this feature does when the RADIUS server goes down:
Both RADIUS server are connected to the location with Catalyst 4510 switch through WAN link. We test RADIUS server inaccessability by shuting down WAN connection. Still dot1x port doesn't go into auth-failed (server dead) VLAN. This switch port appears unauthenticated in VLAN 40.
To verify the auth-fail vlan, the AAA server should be alive and it should reject the user.May be wrong username or password can be sent.
The way you are testing is for critical-vlan means the AAA server is not reachable/responding. Hope this clarifies.
Sorry, I wrote wrong description of the problem. The problem is when RADIUS servers are inaccessible dot1x port doesn't enter critical vlan. It stays unauthentificated in vlan 40.
The critical vlan is applied when the radius servers are down and you are trying with a new authentication i.e. if the user was already authorized he will not be requested to authenticate again till the 802.1x timed out on the switch port.
So, if you want to test the critical vlan
Hope this answer help you.