Wired Intelligent Edge

Hi,

We have a situation with switches at remote sites using AAA on ports.

After a Power Cut at the site. The switch will boot up very quickly before the WAN comes up.

Devices plugged in use 802.1x or MAC auth and often boot up before the WAN comes up.

The problem is that client devices will fail auth - because the Radius server can't be reached and then go into the fail vlan. 

I was sure I read in the release notes somewhere that it was possible to hold off bringing up the switch port until the Radius server was accessible, but I can't find this.

Anyone know how to do this, or if its possible?

Thanks

Hi,

There is Open and Critical Vlan authentication... do you have try?

Yes, for such authentication server is unreachable cases we support User-Role as “Critical-Role”. Authentication server unreachability because of a fault in the infrastructure like this case.

WAN failure, it is unfair for the clients to get impacted(authentication failure due to a “radius-not-being-reachable not because of radius-reject :-)).

aaa authorization user-role name <ROLE-NAME>

vlan-id <UNTAGGED-VLAN>

vlan-id-tagged <TAGGED-VLAN>

aaa port-access <port> critical-auth user-role

like:

aaa port-access 1/11 critical-auth user-role "VLAN-CRITICAL"

aaa authorization user-role name "VLAN-CRITICAL"
policy "PERMIT-ALL"
vlan-id 200
exit

Does this help?

Thanks,

Yash