3

I'd like to know if there is any way to configure the switch so, that in case the radius-server is dead and devices try to (re)-authenticate the port gets the latest vlan which was authorized on this port.

Maybe I just need a command that says: "if (re)authentication fails because the radius server is unrechable, use the latest vlan from the specific port".

Improve this question
6
  • I want this too but I don't think it exists. Hopefully someone will prove me wrong. Our current solution involves python to periodically grab "Show Int Status | inc (connected|monitor)" and more python to generate configs with the VLANs from that. Commented Feb 8, 2017 at 13:03
  • @DaveNoonan Damn, thats bad. I mean I am able to give them a specific vlan in case of unreachability of the radius-server. But I don't want like 4000 people in 1 vlan, when radius-server is down. Whatever thanks for your comment. Commented Feb 8, 2017 at 13:21
  • You should use fallback or for secondary Radius if primary is down. As well you can setup authentication priority to choose different auth method like mab or webauth. Commented Feb 8, 2017 at 13:56
  • Might I suggest spending the effort into making your RADIUS server more reliable so this problem doesn't occur? If you can't do that, then consider what you're proposing: "Allow users on the network if they're authenticated -- unless you can't authenticate them, in which case let them on anyway." Consider what you're really trying to accomplish with NAC. Commented Feb 8, 2017 at 14:30
  • @RonTrunk Yeah your right. This is just an scenario which would have been nice for my requirements. But I think it is unlikely that all radius-server are unavaible and even then, the critical vlan assigment should be enough in this case. Commented Feb 8, 2017 at 14:47

1 Answer 1

Reset to default
2

If you are using 802.1x on a cisco switch, you can configure the interface to fallback to an authorized vlan if the server is dead. 

 authentication event server dead action authorize vlan XX authentication event server dead action authorize voice

I don't know of any way to cause the switch to "remember" the last authorized vlan.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.