Latest

Cisco SDA: Inaccessible Authentication Bypass

 Cisco SDA: Inaccessible Authentication Bypass

The inaccessible authentication bypass feature can be used when the switch cannot reach the configured ISE PSN RADIUS servers and new hosts cannot be authenticated. 

When the switch tries to authenticate a host connected to a critical port, the switch checks the status of the configured RADIUS server. 

If a server is available, the switch can authenticate the host.  However, if all the RADIUS servers are unavailable, the switch grants temporary network access to the host and puts the port in the critical-authentication state, which is a special case of the authentication state.

Fig 1.1- Inaccessible Authentication Bypass Flow

The behaviour of the inaccessible authentication bypass feature depends on the authorization state of the port

  • If the port is unauthorized when a host connected to a critical port tries to authenticate, and all servers are unavailable, the switch puts the port in the critical-authentication state in the full data access VLAN (an ACL can be applied to the VLAN for restricting network access while in critical-authentication state). The IP phones will authorize to the voice VLAN.  
  • If the port is already authorized and re-authentication occurs, the switch puts the critical port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server, including voice VLAN for IP phones.  
  • If the RADIUS server becomes unavailable during an authentication exchange, the current exchange times out, and the switch puts the critical port in the critical-authentication state during the next authentication attempt. 

The critical ports will be configured to reinitialize hosts and move them out of the critical VLAN when one of the RADIUS servers is available. When this is configured, all critical ports in the critical-authentication state are automatically re-authenticated.