The symptom is that illegitimate 802.1x clients gain access to the VLANs they are not supposed to be in even though RADIUS authentication is configured.
This is a configuration error that might have easily escaped attention: the backup authentication method is configured as "authorized", which means to allow access without authentication, as seen in the following command:
# aaa authentication port-access eap-radius authorized
If for some reason RADIUS service becomes unavailable, the backup authentication method will kick in, and in this case will allow access with no authentication.
To fix this problem, instead of specifying the backup authentication method as "authorized", use "none" (which means no backup method is used) as follows:
# aaa authentication port-access eap-radius none
No comments:
Post a Comment