topic Trustsec + ISE Down? in Network Access Control

Trustsec + ISE Down?

Ricardo T Duarte — Fri, 02 Nov 2018 13:08:59 GMT

Hi there,

What happens to a TrustSec environment when all ISE servers are down?

Will traffic still be forwarded? When will it stop working?

Thanks.

Re: Trustsec + ISE Down?

hslai — Fri, 02 Nov 2018 14:30:38 GMT

The environment data is cached on the NAD so the enforcement should work still.

Re: Trustsec + ISE Down?

Ricardo T Duarte — Fri, 02 Nov 2018 14:32:40 GMT

Hi Hslay,

As far as I remember that cache has a lifetime of typically 24 hours.

Will traffic stop flowing after the cache expires and ISE is down?

Thanks

Re: Trustsec + ISE Down?

Jason Kunst — Fri, 02 Nov 2018 14:37:37 GMT

If you have a whole ise outage aren’t there other things to worry about? AAA not working? They would go into critical auth on wired and wireless dot1x wouldn’t work.

Re: Trustsec + ISE Down?

Ricardo T Duarte — Fri, 02 Nov 2018 14:42:55 GMT

I'm not using ISE for AAA. Another software is classifying the devices and sending the tag info to the NADs.

I'm just using ISE to manage the TrustSec infrastructure (SGACLs, Matrix, etc), and only have one ISE (Express Bundle) per site.

Re: Trustsec + ISE Down?

kthumula — Fri, 02 Nov 2018 14:52:49 GMT

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

Re: Trustsec + ISE Down?

Ricardo T Duarte — Fri, 02 Nov 2018 14:56:12 GMT

Thanks for your answer.

If I have a huge cache lifetime, can ISE push new configurations on demand, or will I have to wait for the cache to expire and/or do a manual download at the switch?

Re: Trustsec + ISE Down?

kthumula — Fri, 02 Nov 2018 14:58:54 GMT

It can always push new configuration on demand. That has nothing to do with timers/cache.

Re: Trustsec + ISE Down?

JackHsu — Tue, 19 Mar 2019 03:30:13 GMT

Is that possible to keep the downloaded SGACL and TrsutSec environment data after ISE down or the policy expire?

Because I still want to keep the SGACL enforcement function working, even though there is no new user can be authentication, after the Cisco ISE down or the policy expires.