Configuring Inaccessible Authentication Bypass - Cisco WS-C6506 Software Manual

Configuring Network Admission Control with LAN Port IP
Displaying Policy Templates and Their Associated Policy Groups
To display policy templates and their associated policy groups, perform this task in normal mode:
Task
Display policy templates and their associated
policy groups.
This example shows how to display policy templates and their associated policy groups:
Console> (enable) show policy name all
Policy Template pol1
Security Policy Groups :grp1 grp2
Console> (enable)

Configuring Inaccessible Authentication Bypass

When a switch cannot reach configured RADIUS servers and hosts cannot be authenticated, you can
configure the switch to allow network access to the hosts connected to critical ports. A critical port is
enabled by the inaccessible authentication bypass (IAB) feature.
When IAB is enabled, the switch checks the status of the configured RADIUS servers whenever the
switch tries to authenticate a host connected to a critical port. If a server is available, the switch can
authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network
access to the host and puts the port in the critical-authentication state.
The operation function of the IAB feature depends on the authorization state of the port:
•
•
•
When the RADIUS server is available, all the ports in critical state are reinitialized if IAB initialization
is enabled. Enable the IAB initialization feature by using the set radius keepalive init [enable | disable]
command. The IAB initialization feature is disabled by default. If this feature is not enabled, the port
waits until the reauthentication timer expires.
If IAB is enabled using the set radius keepalive [enable | disable] command, the switch sends periodic
requests to the server. The interval between requests is configurable. Use the set radius keepalivetimer
time command to set the timer. The server state can be in Init, CheckUp, Dead, or Alive state. During
the initialization state, the first request is sent to all the RADIUS servers. The request waits for a
response. If there is no response, the server state will be moved to Checkup. In the Checkup state, the
switch sends two more requests to the server. If there is no response to the requests, the switch will be
marked as "dead." If there is a response to the request, the server will be marked as "alive." To set the
retry timer, use the set radius timeout time command to send a second request when there is no response
to the first request.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
44-24
If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers
are unavailable, the switch sends an EAP-success message to the host and puts the port in the
critical-authentication state in the configured access VLAN.
If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by
the RADIUS server.
If the RADIUS server becomes unavailable during an authentication exchange, the current
exchanges times out, and the switch puts the critical port in the critical-authentication state during
the next authentication attempt.
Chapter 44 Configuring Network Admission Control
Command
show policy name {all | policy-name}
OL-8978-04