cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2835
Views
5
Helpful
2
Replies

802.1x fail open in multi-auth scenario

pdub206
Level 1
Level 1

I am aware of the ability of Cisco switches to provide "Inaccessible Authentication Bypass" as seen in the following configuration guide:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/consolidated_guide/configuration_guide/b_consolidated_3650_3e_cg/b_consolidated_3650_3e_cg_chapter_01010111.html#ID778


I am using Cisco 3650 switches running 3.6.6E code release.  We currently have a basic MAB environment which is permitting all devices for "discovery".  In the event that the authentication server is unreachable, I would like the switch to simply enable the ports so that our employees can continue working.


Is it possible to "fail open" so that the device uses the existing vlans assigned on the port? It appears that I can simply issue

 

switch(config-if)#authentication event server dead action authorize ?
vlan Configure Critical Authorization VLAN
voice Authorize the port for VOICE traffic
<cr>

 

As long as I do not provide a vlan specifically, it will simply authorize the port as if there was no authentication mechanism whatsoever?

Thanks for any advice!

Throwing packets since 2012
1 Accepted Solution

Accepted Solutions

Hi Patrick,
Yes, you are correct you don't need to specify the vlan. You would probably want to use
"authentication event server alive action reinitialize" to authenticate once the aaa servers are back online.

HTH

View solution in original post

2 Replies 2

Hi Patrick,
Yes, you are correct you don't need to specify the vlan. You would probably want to use
"authentication event server alive action reinitialize" to authenticate once the aaa servers are back online.

HTH

Thank you for the clarification, RJI!

This worked wonderful one I applied 

 

authentication event server dead action authorize
authentication event server dead action authorize voice

 

Both the data and voice device (laptop plugged into phone switch port) worked.  However, once I applied 

 

authentication event server alive action reinitialize

 

The radius server for some reason was marked as up and I was unable to authenticate.  Perhaps it was that I null routed the radius server IP.

Throwing packets since 2012
Review Cisco Networking for a $25 gift card