https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3679085#M25316 <P>&nbsp;</P> <P>Hi</P> <P>I'm working on a ISE/Trustsec deployment for wired devices using ibns 2.0. The dev environment is working well:</P> <P>&nbsp;</P> <UL> <LI>Clients authenticate successfully and are dynamically assigned SGTs from ISE</LI> <LI>Switches download CTS environment data from ISE (SGTs and SGACLs) and ISE policy is enforced correctly.</LI> </UL> <P>&nbsp;</P> <P>I'm now looking at how to handle a critical authentication event where ISE becomes unavailable:</P> <P>&nbsp;</P> <UL> <LI>Unauthenticated clients are authorised ok by the switch's ibns 2.0 identity control policy. SGTs are applied statically though VLAN membership</LI> <LI>CTS environment data (SGTs and SGACLs) learned from ISE eventually times out (ISE default for this timeout is 24 hours).</LI> <LI>Clients that authenticated successfully (before RADIUS became unavailable) remain authorised with their dynamically assigned SGT. Periodic authentication isn't enabled so clients remain authorised until the session ends.</LI> </UL> <P>The problem I'm seeing is that if ISE is unavailable for long enough and the switch's CTS environmental data times out, then the switch loses the SGACLs/SGTs required to enforce policy for the ISE authenticated devices with their dynamically assigned SGTs.</P> <P>&nbsp;</P> <P>I thought the old legacy 802.1x command "<STRONG>authentication event server dead action reinitialize vlan X</STRONG>" might help reinitialize authenticated clients when a critical authentication event occurs but the bug CSCul89568 (and my testing) shows that this is only possible if periodic authentication is enabled.</P> <P>&nbsp;</P> <P>I created a simple EEM script below which clears all authenticated sessions when RADIUS becomes unavailable. Clients are then authorised by the switch with statically assigned SGTs (enforcement is done through static SGACLs).</P> <P>&nbsp;</P> <P><STRONG>event manager applet CRITICAL-CLEAR-SESSIONS</STRONG><BR /><STRONG> event syslog pattern "RADIUS-4-RADIUS_DEAD" maxrun 5</STRONG><BR /><STRONG> action 1.0 cli command "enable"</STRONG><BR /><STRONG> action 1.1 cli command "clear access-session"</STRONG></P> <P>&nbsp;</P> <P>Can anyone suggest a better way of dealing with this kind of event? I could increase the cts environmental data timeout or enable periodic authentication.</P> <P>&nbsp;</P> <P>Thanks<BR />Andy</P> Mon, 11 Mar 2019 08:47:36 GMT andrewswanson 2019-03-11T08:47:36Z https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3679085#M25316 <P>&nbsp;</P> <P>Hi</P> <P>I'm working on a ISE/Trustsec deployment for wired devices using ibns 2.0. The dev environment is working well:</P> <P>&nbsp;</P> <UL> <LI>Clients authenticate successfully and are dynamically assigned SGTs from ISE</LI> <LI>Switches download CTS environment data from ISE (SGTs and SGACLs) and ISE policy is enforced correctly.</LI> </UL> <P>&nbsp;</P> <P>I'm now looking at how to handle a critical authentication event where ISE becomes unavailable:</P> <P>&nbsp;</P> <UL> <LI>Unauthenticated clients are authorised ok by the switch's ibns 2.0 identity control policy. SGTs are applied statically though VLAN membership</LI> <LI>CTS environment data (SGTs and SGACLs) learned from ISE eventually times out (ISE default for this timeout is 24 hours).</LI> <LI>Clients that authenticated successfully (before RADIUS became unavailable) remain authorised with their dynamically assigned SGT. Periodic authentication isn't enabled so clients remain authorised until the session ends.</LI> </UL> <P>The problem I'm seeing is that if ISE is unavailable for long enough and the switch's CTS environmental data times out, then the switch loses the SGACLs/SGTs required to enforce policy for the ISE authenticated devices with their dynamically assigned SGTs.</P> <P>&nbsp;</P> <P>I thought the old legacy 802.1x command "<STRONG>authentication event server dead action reinitialize vlan X</STRONG>" might help reinitialize authenticated clients when a critical authentication event occurs but the bug CSCul89568 (and my testing) shows that this is only possible if periodic authentication is enabled.</P> <P>&nbsp;</P> <P>I created a simple EEM script below which clears all authenticated sessions when RADIUS becomes unavailable. Clients are then authorised by the switch with statically assigned SGTs (enforcement is done through static SGACLs).</P> <P>&nbsp;</P> <P><STRONG>event manager applet CRITICAL-CLEAR-SESSIONS</STRONG><BR /><STRONG> event syslog pattern "RADIUS-4-RADIUS_DEAD" maxrun 5</STRONG><BR /><STRONG> action 1.0 cli command "enable"</STRONG><BR /><STRONG> action 1.1 cli command "clear access-session"</STRONG></P> <P>&nbsp;</P> <P>Can anyone suggest a better way of dealing with this kind of event? I could increase the cts environmental data timeout or enable periodic authentication.</P> <P>&nbsp;</P> <P>Thanks<BR />Andy</P> Mon, 11 Mar 2019 08:47:36 GMT https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3679085#M25316 andrewswanson 2019-03-11T08:47:36Z https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3832009#M25317 <P>Hi,</P><P>&nbsp;</P><P>have you tried enabling cts cache to store the environment data and SGACL into flash. This way the last entry into cache before ISE dies will be used.</P> Thu, 04 Apr 2019 08:01:45 GMT https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3832009#M25317 david.2018 2019-04-04T08:01:45Z https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3832061#M25318 <P>Hi David</P><P><BR />Thanks for the response. CTS cache isn't supported on Catalyst 3ks so that wasn't an option.</P><P>&nbsp;</P><P>Currently, I have periodic authentication enabled for all clients - during a Critical Authentication event, all clients are re-authenticated before the cts environment data times out.</P><P>&nbsp;</P><P>Andy</P> Thu, 04 Apr 2019 08:59:22 GMT https://community.cisco.com/t5/network-access-control/critical-authentication-event-reinitialize-all-sessions/m-p/3832061#M25318 andrewswanson 2019-04-04T08:59:22Z