Solved: Re: aaa authentication dot1x default group radius none

mohammed hashim · ‎03-27-2019

Hi,

I do have Radius implemented for 802.1x,

I am using the following switch:

I want the switch to allow user access if Radius server is down. The issue with the following command, I dont get "none" option:

aaa authentication dot1x default group radius none

According to Cisco documentation that this command is valid:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a1.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_00.html

Can you please help me on what to do on this ?

amikat · ‎04-09-2019

Hi,

Thanks for the feedback. With multiauth mode you can also try the below interface command:

"authentication event server dead action reinitialize vlan 1"

(instead of "... authorize vlan 1").

There are known bugs related to the critical Vlan for various platforms and various IOS releases. If unsuccessful you MAY consider to update your IOS.

Best regards,

Antonin

View solution in original post

mohammed hashim · ‎04-02-2019

any help please ?

Deepak Kumar · ‎04-02-2019

Hi,

I am not sure what is your VLAN and Switch configuration but try like this:

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius 
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/2
 switchport mode access
 authentication event fail action authorize vlan 2 --> If authentication failed then Assign VLAN 2
 authentication event no-response action authorize vlan 3 ---> If no responce then it will assign VLAN 3
 authentication event server dead action authorize vlan 3 ----> If all confgured server dead marked
 authentication host-mode multi-host
 authentication port-control auto
 dot1x pae authenticator

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amikat · ‎04-02-2019

Hi,

Yes, the option "none" is not available with your IOS release. You can achieve what you aim via the "authentication event server dead action authorize" interface configuration command.

Best regards,

Antonin

mohammed hashim · ‎04-07-2019

Hi dears,

sorry for the late update on this,

I tried the suggested commands, but unfortunately the issue still persists, the switch does not allow the endpoint to access the network if Radius is down. I tried several variations of the following commands:

interface GigabitEthernet0/17
switchport mode access
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status permit duplicates
dot1x pae authenticator
dot1x timeout quiet-period 30
spanning-tree portfast
end

anything can be done?

amikat · ‎04-09-2019

Hi,

Thanks for the feedback. With multiauth mode you can also try the below interface command:

"authentication event server dead action reinitialize vlan 1"

(instead of "... authorize vlan 1").

There are known bugs related to the critical Vlan for various platforms and various IOS releases. If unsuccessful you MAY consider to update your IOS.

Best regards,

Antonin

mohammed hashim · ‎04-17-2019

Thank you, this solved my problem.

"authentication event server dead action reinitialize vlan 1"