topic ISE 1.1.1 (Fallback to local Vlan if radius server is found to b in Network Access Control

ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

Tabish Mirza — Mon, 11 Mar 2019 02:47:39 GMT

We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.

We do not know whether we configured switch in proper way or do we need to modify it.

aaa new-model
!

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)

client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)

server-key 7 12345678

ip device tracking
!
epm logging

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)

radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)

radius-server vsa send accounting
radius-server vsa send authentication

Port Configuration

interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!

Please help....

Thanks

ISE 1.1.1 (Fallback to local Vlan if radius server is found to b

Todd Pula — Thu, 15 Nov 2012 22:50:40 GMT

Was the test client on g0/1 previously authorized on this port prior to shutting down the PSNs? Or did you connect the client after taking the PSNs offline?

Re: ISE 1.1.1 (Fallback to local Vlan if radius server is found

Tabish Mirza — Fri, 16 Nov 2012 08:38:38 GMT

Client was connected on port gi0/1 but when we shutdown both PSN same time we shut & no shut gi0/1. We tried same exercise means to shut or no shut gi0/1 couple of times but no luck.
My requirement is to fallback user who is connected on gi0/1 to local access vlan if both radius server (PSN) goes down.
I suspect that I m missing some switch commands.
Please any suggestion.
Thanks

Sent from Cisco Technical Support iPhone App

Re: ISE 1.1.1 (Fallback to local Vlan if radius server is found

nspasov — Fri, 16 Nov 2012 16:00:56 GMT

Can you post the config for the access-list "ACL-DEFAULT" that is applied on the interface? If you are using this ACL for "Low Impact" mode then that would be the cause of your issue. If that is the case remove the ACL and give it another try.

Thank you for rating!

Re: ISE 1.1.1 (Fallback to local Vlan if radius server is found

Tabish Mirza — Sun, 18 Nov 2012 09:23:30 GMT

Hi Neno,

Many thanks indeed for your suggestion.

Here is the ACL-DEFAULT

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark PXE/TFTP

permit udp any any eq tftp

remark Drop all the rest

deny ip any any log

I removed the ACL & tried. It works but what will be the impact, if I do not use ACL-DEFAULT on interface.

Once radius server alive authentication should reinitialize (authentication event server alive action reinitialize) but it is not happening.

Waiting for response.

Thanks

ISE 1.1.1 (Fallback to local Vlan if radius server is found to b

nspasov — Mon, 19 Nov 2012 01:42:17 GMT

Tabish-

The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.

If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.

For more info you should reference the TrustSec design guide located at:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

Thank you for rating!