Radius fallback on 2960

Hi, I have ISE 1.2 and catalyst 2960
I have 2 ISE node, the 2 ISE is PSN
Normaly user are authenticated on ISE1(192.168.1.1), if ISE1 is not available, user must be authenticated on ISE2(
192.168.5.1)
Once ISE1 become available, the user must be authenticated on ISE1
This is the command that I used, but it does not work
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key Abcd123
radius-server host 192.168.5.1 auth-port 1812 acct-port 1813 key Abcd123
Please how can I configure it ?
Thanks

Hi,
You hve to take care of the following rules before applying the active-standby node in ISE.
You can specify two Monitoring ISE nodes on an ISE network and create an active-standby pair. Once the active-standby pair is defined, the following rules apply:
•All configuration changes must be made on the primary Monitoring ISE node. The secondary node is read-only.
•Configuration changes made to the primary node are automatically replicated on the secondary node.
•Both the primary and secondary nodes are listed as log collectors to which all other nodes send logs.
•The ISE dashboard is the main entry point for monitoring and troubleshooting. Monitoring information is displayed on the dashboard from the primary Monitoring ISE node. If the primary node goes down, the information is served from the secondary node.
•Backing up and purging monitoring data is not part of a standard ISE node backup process. You must configure repositories for backup and data purging on both the primary and secondary Monitoring ISE nodes, using the same repositories for each.
For more details, Kindly look:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html
Regards,
Gurpreet S Puri
Keep Smiling, Peace
(Please Rate Helpful Post)

Similar Messages

  • WLC RADIUS Fallback Questions

    We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
    There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
    Can someone shed some light on how exactly this "cisco-probe" should work?
    Thanks!

    There are three modes to fall back:
    off - no fallback
    passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
    on - You configure a username, and an interval.  WLC sends the credentials to the 'dead' server at configured interval.
    The password really doesn't matter, just that the WLC gets a packet back.  So getting a reject back from the server would bring it back 'alive' in the AAA list.
    make sense?
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • ISE 1.2 rejects RADIUS messages from 5508 WLC

    The setup in ref is:
    WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
    Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
    When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
    "The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
    Why would ISE drop a RADIUS message from a WLC which is a wireless device?  Surely this is a mistake?

    Hi Nicholas,
    This is a known defect.
    CSCug34679    ISE drop keep alive coming from WLC. 
    <B>Symptom:</B>
    ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
    <B>Conditions:</B>
    When only a wireless license is install on the ISE and using active keep alive on the WLC.
    <B>Workaround:</B>
    Use passive keep alive on the WLC and not active.
    Regards,
    Jatin Katyal
    *Do rate helpful posts*

  • RADIUS configuration assistance

    Hi
    I want to configure radius on my 2960 switch. I apply below configuration:
    aaa new-model
    radius-server host 10.189.x.x key syafiq
    radius-server source-ports 1645-1646
    aaa authentication login default group radius local
    aaa authentication enable default group radius enable
    aaa authorization network default group radius local
    aaa authorization exec default group radius local
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    ip radius source-int vlan2
    line vty 0 4 
    login authentication default
    transport input ssh
    Unfortunately, I can't login using the ID given but able to login through local id. I have check on Cisco doc on the config, looks like the configuration is correct. Please help. Thanks.

    My oracle server's configuration lists below:
    1 sqlnet.ora
    # SQLNET.ORA Network Configuration File: e:\oracle\ora92\network\admin\sqlnet.ora
    # Generated by Oracle configuration tools.
    SQLNET.AUTHENTICATION_SERVICES=radius
    SQLNET.RADIUS_SECRET=e:\oracle\ora92\network\security\radius.key
    SQLNET.RADIUS_AUTHENTICATION=192.168.1.198
    SQLNET.RADIUS_AUTHENTICATION_PORT=1645
    SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=2
    SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
    sqlnet.radius_accounting = off
    sqlnet.radius_challenge_response = off
    sqlnet.radius_authentication_interface = DefaultRadiusInterface
    2 I have added the following lines to the bottom of init.ora:
    REMOTE_OS_AUTHENT=FALSE
    OS_AUTHENT_PREFIX=""
    3 Restart oracle service and connect to the server:
    SQL> CREATE USER AAA IDENTIFIED EXTERNALLY;
    SQL> GRANT CREATE SESSION TO AAA;
    SQL> CONNECT AAA/AAApassword@ORCL;
    But the radius server received nothing.What's wrong with my configuration?

  • WLC RADIUS Server Failover - Passive mode timer

    In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
    Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
    There are 3 mode for this: off, passive & active.
    In the passive mode, the operation is described in the config guide as :
    Passive
    —Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
    Anyone know what it is, or if its configurable? I don't see anything in the docs...
    Nigel.

    Here you go.
    RADIUS Server Fallback Feature on WLC.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

  • WLC Radius Server Load Balance

    Hi,
    Can someone provide me detailed description on how WLC Radius Server Load balance works.
    Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
    Any response will be very appreciated
    -Angela

    Hi Angela,
    I pasted below the part of config guide explaining the different modes. In summary :
    -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
    -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
    -Active means : WLC constantly sends radius probes to detect when primary is back up.
    config radius fallback-test mode {off | passive | active}
    where
    •off disables RADIUS server fallback.
    •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

  • Radius authntication failure

    Hi,
    We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us. we have radius sever over WAN with PEAP configuration. These days I could see this traps logs offen and clients are unable to connect. I have tried increasing the EAP timer values but still same I can see same logs. when i consult the radius sever admin, He says that for this paticular mac address we are not getting any request or logs and there is not issue with the radius server as other location clients dont have any problem.
    Yesterday, we found that all the clients who are authenticated using the radius sever got disconnected and unable to reconnect again. after rebooting the controller only they could able to connect.
    What might be the reasonf for this my WLC 2504 is ruuning ver 7.0.240 having access points models 1231 and 1262.
    RADIUS server 172.16.100.254:1812 failed to respond to request (ID 187) for client 40:6f:2a:06:51:c0 / user 'unknown'
    I can even see this logs
    AAA Authentication Failure for UserName:host/dial1 User Type: WLAN USER

    I know that you mentioned you have only one radius working now. But I want to know if you disabled one of them globally or from under the WLAN.
    Please show us the output of the following command from the WLC CLI:
    show wlan
    Regarding the timeout, it is configurable under the RADIUS authentication page under the security tab:
    Security -> AAA -> RADIUS -> Authentication (or Accounting).
    After opening your server's config, you can find a "Server timeout" value. The default is 2 seconds.
    You can issue the command (show radius auth statistics) to see the statistics and the timers about your server. I think this can be helpful to you to isolate your issue.
    If a user is authenticated then it will not get disconnected if the server goes down. Only new authenticating users will get affected if the server goes down. If one of the connected users goes down while the server is down then it will not be able to connect again until the server comes back up again.
    Also, about RADIUS fallback feature you can read this doc:
    http://goo.gl/Ndlj3T
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Empty accounting log in ISE

    Hi,
    I am using ISE1.1.1 with 2960.
    Recently I found there is some empty log in accounting report.(see AAA accounting.png)
    So I do a sniffer and find out that source IP is the 2960.
    Then I got to check the log in "Network Device Log"(See Network device log.png)
    I can see the IP address of 2960.
    Can anybody know why the log in AAA accouting is empty and how to get rid of them.
    Some aaa and radius config in 2960.
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client X.X.X.X server-key 7 0XXXXXXX43
    aaa session-id common
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host X.X.X.X auth-port 1812 acct-port 1813
    radius-server key 7 XXXXXXXX500
    radius-server vsa send accounting
    radius-server vsa send authentication
    Thanks.

    Hi,
    In Cisco ISE to see live failed and passed authentication logs
    Operations>authentications>live authentications and then click on detail.
    For failed login attempts by administrator.
    Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report
    For understanding and configuring loggs
    Administration > System > Logging

  • AAA Servers toggles per WLAN

    Dear Team, i have a Controller based Installation with 802.1x Auth via ACSSE and AD. The Controllers running 4.2.173.0. 2 ACSSE are configured. Since a few Days we see Problems with Client Authentication. The WLC Log shows, that the WLAN toggles between the 2 Radius Servers:
    84 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.xx:1812 activated on WLAN 2
    85 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 deactivated on WLAN 2
    86 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 failed to respond to request (ID 148) for client <Client-MAC> / user 'unknown'
    Does anyone know, under which Conditions, Timeout etc the WLAN changes the Radius Server? Since we dont run 5.x , we cant use the dedicated Radius Fallback Feature. Has anyone seen this Problem? Regards, Michael

    After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
    config radius aggressive-failover disable
    As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
    If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
    In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

  • Wlan Controller 2504

    Hi friends:
    I had configured in my wlan controller, 02 radius server for 802.1x authenticaction. I want to kown wich radius server will use my user to connect.
    I want that firt use the IP:10.240.4.7 and second the IP 10.240.134.7, but allway use the IP 10.240.134.7
    Best Regard,
    Marco

    Hi Marco,
    Are you saying that even though 10.240.4.7 is selected as the first server the authetication request are not at all going to that server? Are you able to see any passed or failed authetication logs on this ACS?
    Also im not sure which version of code you are running on WLC. You may have to look at  below document to understand more about RADIUS fallback feature.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive
    Hope that helps
    Regards
    Najaf
    Please rate when applicable or helpful !

  • AAA ordering question

    Hi can someone explain to me how the WLC (4402) decides which server to use for AAA?
    I have two servers set up as AAA servers, One with a server index of 1 and the other with an index of 2
    Index 1 =  x.x.x.70
    Index 2 =  x.x.x.38
    Under the AAA tab of one of my wlans I have them listed as:
    Server 1 = x.x.x.38
    Server 2 = x.x.x.70
    Is it the Index number thats the deciding factor? or is it the order in which they are listed under the AAA tab in the wlan config page?
    Cheers
    Dylan

    Hi,
    There are two ways to set the priority of the Radius server. If you have the Radius servers defined under the WLAN the server defined as Server 1 will be used first, Server 2 will be used second, and so on. If you don't have the Radius servers listed under the WLAN they will be used in the order they are listed in the global config (index number).
    The Radius fallback configuration will also come into play.  If you have Radius fallback disabled when the primary Radius server fails the controller will start using the secondary but it won't move back to the primary until either the secondary fails or the controller is rebooted. If you have it enabled the controller will start using the primary server when it becomes available again.
    So on top of my head these are the things whic are coming..
    Can you please check the failed logs on the server to make sure there aren't any messages about the requests from the controller?  Could be that the shared secret key isn't matching or the controller isn't defined in the server.
    Even try pinging the server from WLC and see the connectivity..
    or even..
    check if there is any firewall problem between the WLC and the RADIUS server.
    Lemme know if this answered your question!!
    Regards
    Surendra
    ====
    Please dont forget to rate the usefull post which answered your question or was helpfull

  • WLC2125: vlan issue

    Best regards,
    I need your help.
    I have a WLC2125 configured and working with 4 LAPs.
    Now, when I want to add a new SSID and asign to the respective vlan, I can't access to new vlan through layer 3.
    My laptop can detect the new SSID but can't get ip address.
    When I configure a static ip address in the laptop I can ping to defaul gateway.
    From the WLC, I can ping to DHCP server and gateway of the new vlan
    Also I  created a new SSID & vlan and it works fine.
    WLC version is 5.1.151
    WLC connects to the Switch through 2 trunk ports.
    There is a Core Router working as DHCP server.
    The problem is with only vlan 12, other vlans work fine.
    Why I can't access this vlan through wireless?
    What do I have to do?
    Please, someone can help me,
    Thanks

    Ok, this is the running-config:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    802.11a cac voice tspec-inactivity-timeout ignore
    802.11a cac video tspec-inactivity-timeout ignore
    802.11a cac voice stream-size 84000 max-streams 2
    802.11b cac voice tspec-inactivity-timeout ignore
    802.11b cac video tspec-inactivity-timeout ignore
    802.11b cac voice stream-size 84000 max-streams 2
    aaa auth mgmt  local radius
    Location Summary
    Algorithm used:                 Average
    Client
            RSSI expiry timeout:     5 sec
            Half life:               0 sec
            Notify Threshold:        0 db
    ating Client
            RSSI expiry timeout:     5 sec
            Half life:               0 sec
    Rogue AP
            RSSI expiry timeout:     5 sec
            Half life:               0 sec
            Notify Threshold:        0 db
    RFID Tag
            RSSI expiry timeout:     5 sec
            Half life:               0 sec
            Notify Threshold:        0 db
    location rssi-half-life tags 0
    location rssi-half-life client 0
    location rssi-half-life rogue-aps 0
    location expiry tags 5
    location expiry client 5
    location expiry calibrating-client 5
    location expiry rogue-aps 5
    Cisco Public Safety is not allowed to set in this domain
    ap syslog host global 255.255.255.255
    country EC
    local-auth method fast server-key 736563726574
    interface create estudiantes 19
    interface create empleados 194
    interface create invitados 207
    interface create investigadores 193
    interface create test_vlan31 31
    interface create wifi_invitados 12
    interface address ap-manager 172.16.16.100 255.255.255.0 172.16.16.1
    interface address dynamic-interface estudiantes 172.16.19.250 255.255.255.0 172.16.19.1
    interface address management 172.16.16.10 255.255.255.0 172.16.16.1
    interface address dynamic-interface empleados 172.16.194.19 255.255.255.0 172.16.194.1
    interface address dynamic-interface invitados 172.31.12.19 255.255.255.0 172.31.12.1
    interface address dynamic-interface investigadores 172.16.193.19 255.255.255.0 172.16.193.1
    interface address dynamic-interface test_vlan31 172.31.16.50 255.255.240.0 172.31.16.1
    interface address dynamic-interface wifi_invitados 172.31.32.50 255.255.240.0 172.31.32.1
    interface address virtual 1.1.1.1
    interface dhcp ap-manager primary 172.16.16.227
    interface dhcp dynamic-interface estudiantes primary 172.16.19.1
    interface dhcp management primary 172.16.16.227
    interface dhcp dynamic-interface empleados primary 172.16.2.54
    interface dhcp dynamic-interface invitados primary 172.31.12.1
    interface dhcp dynamic-interface investigadores primary 172.16.2.54
    interface dhcp dynamic-interface test_vlan31 primary 172.31.16.1
    interface dhcp dynamic-interface wifi_invitados primary 172.31.32.1
    interface vlan estudiantes 19
    interface vlan empleados 194
    interface vlan invitados 207
    interface vlan prof_investigadores 193
    interface vlan test_vlan31 31
    interface vlan wifi_invitados 12
    interface port ap-manager 1
    interface port estudiantes 1
    interface port management 1
    interface port pydlos_empleados 1
    interface port pydlos_invitados 1
    interface port pydlos_prof_investigadores 1
    interface port test_vlan31 1
    interface port wifi_invitados 1
    load-balancing window 5
    wlan apgroup add m-estudiantes vlan 19 estudiantes m
    wlan apgroup interface-mapping add m-estudiantes 1 estudiantes
    wlan apgroup nac disable m-estudiantes 1
    mesh security eap
    mobility group domain RFMed
    mobility dscp 0
    network webmode enable
    network telnet enable
    network multicast mode multicast 0.0.0.0
    network mgmt-via-dynamic-interface enable
    network ap-priority disabled
    network otap-mode disable
    network rf-network-name RFMed
    radius fallback-test mode off
    radius fallback-test interval 300
    rogue ap ssid alarm
    rogue ap valid-client alarm
    rogue adhoc enable
    rogue adhoc alert
    rogue ap rldp disable
    snmp version v2c enable
    snmp version v3 enable
    wlan create 1 Med Med
    wlan create 2 Empleados_Pydlos Empleados_Pydlos
    wlan create 3 Pydlos_Invitados Pydlos_Invitados
    wlan create 4 Pydlos_Academicos Pydlos_Academicos
    wlan create 5 test_ucwifi test_ucwifi
    wlan create 6 testvlan31 testvlan31
    wlan nac disable 1
    wlan nac disable 2
    wlan nac disable 3
    wlan nac disable 4
    wlan nac disable 5
    wlan nac disable 6
    wlan interface 1 estudiantes
    wlan interface 2 empleados
    wlan interface 3 invitados
    wlan interface 4 investigadores
    wlan interface 5 wifi_invitados
    wlan interface 6 test_vlan31
    wlan radio 1 802.11g
    wlan session-timeout 1 1800
    wlan session-timeout 2 1800
    wlan session-timeout 3 1800
    wlan session-timeout 4 1800
    wlan session-timeout 5 1800
    wlan session-timeout 6 1800
    wlan wmm allow 1
    wlan wmm allow 2
    wlan wmm allow 3
    wlan wmm allow 4
    wlan wmm allow 5
    wlan wmm allow 6
    wlan security wpa disable 1
    wlan security wpa disable 3
    wlan security wpa disable 5
    wlan security wpa disable 6
    wlan security static-wep-key encryption 1 104 1
    wlan security static-wep-key encryption 2 104 1
    wlan security static-wep-key encryption 4 104 1
    wlan security static-wep-key encryption 6 104 1
    wlan security wpa akm  802.1x disable 1
    wlan security wpa akm  psk enable 1
    wlan security wpa akm  802.1x disable 2
    wlan security wpa akm  psk enable 2
    wlan security wpa akm  802.1x disable 4
    wlan security wpa akm  psk enable 4
    wlan security wpa akm ft reassociation-time 20 1
    wlan security wpa akm ft over-the-air enable 1
    wlan security wpa akm ft over-the-ds enable 1
    wlan security wpa akm ft reassociation-time 20 2
    wlan security wpa akm ft over-the-air enable 2
    wlan security wpa akm ft over-the-ds enable 2
    wlan security wpa akm ft reassociation-time 20 3
    wlan security wpa akm ft over-the-air enable 3
    wlan security wpa akm ft over-the-ds enable 3
    wlan security wpa akm ft reassociation-time 20 4
    wlan security wpa akm ft over-the-air enable 4
    wlan security wpa akm ft over-the-ds enable 4
    wlan security wpa akm ft reassociation-time 20 5
    wlan security wpa akm ft over-the-air enable 5
    wlan security wpa akm ft over-the-ds enable 5
    wlan security wpa akm ft reassociation-time 20 6
    wlan security wpa akm ft over-the-air enable 6
    wlan security wpa akm ft over-the-ds enable 6
    wlan security wpa wpa1 enable 4
    wlan security wpa wpa1 ciphers tkip enable 2
    wlan security wpa wpa1 ciphers tkip enable 4
    wlan security wpa wpa2 ciphers aes disable 2
    wlan security wpa wpa2 ciphers tkip enable 2
    wlan security wpa wpa2 ciphers aes disable 4
    wlan security wpa wpa2 ciphers tkip enable 4
    wlan enable 1
    wlan enable 2
    wlan enable 3
    wlan enable 4
    wlan enable 5
    wlan enable 6

  • ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

    We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
    We do not know whether we configured switch in proper way or do we need to modify it.
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting system default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
    client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
    server-key 7 12345678
    ip device tracking
    epm logging
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 30 tries 3
    radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
    radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
    radius-server vsa send accounting
    radius-server vsa send authentication
    Port Configuration
    interface GigabitEthernet0/1
    switchport access vlan 305
    switchport mode access
    ip access-group ACL-DEFAULT in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 305
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    Please help....
    Thanks

    Tabish-
    The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
    If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
    For more info you should reference the TrustSec design guide located at:
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
    Thank you for rating!

  • Cisco 2960-X & ISE accounting- username Radius attribute missing

    Hi,
    I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
    - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
    - Authentication protocol : wired  MAB 
    - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
    the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
    while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
    The same configuration is working on 3750 switch  with no issue .
    Here is my Switch config:
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa authorization auth-proxy default group radius 
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting update periodic 5
    username admin password 
    username radius-test password 
    aaa server radius dynamic-author
     client 172.16.2.20 server-key 7 04490A0206345F450C00
     client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
    radius server ISE-RADIUS-1
     address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 111B18011E0718070133
    radius server ISE-RADIUS-2
     address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 0214055F02131C2A4957
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server attribute 31 mac format ietf upper-case
    radius-server attribute 31 send nas-port-detail
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    any help  !!!

    Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
    as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

  • Using root bridge as a fallback radius server for WPA and EAP

    From reading the different documentation out there, it seems that one should be able to configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable. Has anyone encountered this situation? And could they share the steps and configuration statements to apply the bridges (1310 or 1410) in order to make this happen?
    Many Thanks and Regards,
    Giles -

    Yes, you have to first configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable

Maybe you are looking for

  • Safari 5.1.7 Immediately Crashes Upon Launch (Updated 29 May 2012)

    Hey everyone, just thought if anyone could quickly take a look and see if they see a solution. Came back from camping on the weekend, downloaded the update, and Safari crashed upon launch there on after. It launches the application, the loading bar s

  • VISUAL C++로 PRO*C COMPILE하기.

    제품 : PRECOMPILERS 작성날짜 : 1998-11-16 Visual C++를 이용하여 pro*c를 이용하는 방법을 정리한다. 아래의 내용은 Visual C++ 5.0과 windows95용 Pro*c 8.0을 기준으로 기술 되었다. 아래의 방법은 새로운 project를 생성해서 이곳에 Sample.pc 를 precompile하고 compile, link하여 실행 화일을 만드는 과정을 설명한다. 1. 새로운 project를 생성한다. -

  • Unexplainable pixilating of the screen HELP

    We've had an iMac since 2008/2009 and yesterday the screen started to pixelate. We've got no explanation for why. My mum used it about an hour before it happened and it was running as normal, an hour later my brother went to use it and the screen was

  • Best Practices for BI, ADF and Oracle Forms installations on Weblogic

    Hi, I'm researching options on upgrading to Oracle 11g Middleware. My company currently has Oracle Forms 10g running on Oracle Application Server. We are interested in using Oracle Forms 11g, ADF and Jdeveloper, and Business Intelligence with Oracle'

  • Creating detail and summary report tabs

    Hi Everyone, I want to create two reports on the same query infact two tabs one showing the summary and the other one showing the details.Suppose I have a column Plant in the summary report tab.I want when I click on a particular plant the detail of