topic Re: ISE Authentication bypass in critical situation in Network Access Control

ISE Authentication bypass in critical situation

pasupuleti.rmr — Thu, 25 Jan 2018 07:53:07 GMT

Hello,

My self Ram Mohan from INDIA. I am using Cisco ISE in our organization. I faced one issue recent days which is created a big problem.

Incident ;-

3 days back all the end-users login into the system, after login NAC agent not initiated to check the posture.

This issue effected in entire organization. so that they can't able to access intranet as well as internet.

For temporarily...i just removed NAC configuration on switch-port and allowed the network access.

in that situation i struggled a lot to remove NAC configuration in entire access switches (52 Switches) which is located in all floors.

My query ... is there any option or specific configuration to bypass the ISE system in above critical situation ??

Please let me know if there is any chance to overcome this issue.

Version Details:-

Version : 2.2.0.470

NAC Agent Ver : 4.9.5.10

ADE OS Ver : 3.0.2.218

Thanks ,

Rama Mohan Rao P

Re: ISE Authentication bypass in critical situation

hariholla — Thu, 25 Jan 2018 18:09:14 GMT

Hello,

You can disable posture policies on ISE in such cases, also change the authorization policies to permit network access irrespective of the posture status. Modifying the switch configuration is not necessary, as long it can talk to ISE.

Do you have a TAC case open to understand why the NAC agent failed to do posture?

~Hari

Re: ISE Authentication bypass in critical situation

hslai — Sat, 27 Jan 2018 05:45:49 GMT

Perhaps, this is what you are looking for -- 802.1x Authentication with Inaccessible Authentication Bypass

Re: ISE Authentication bypass in critical situation

pasupuleti.rmr — Mon, 29 Jan 2018 06:45:24 GMT

Hello Mr.Hari,

Thank you for your reply.

actually I just disabled the posture policies on ISE when the incident happened. But before that all the systems hang on and showing exclamation mark (Yellow colour triangle) on LAN Icon. I just capture the Posture Policy for your reference.

lease check and let me know is any further step I have to take.

Reg TAC Case :

TAC engineer suggested to upgrade Patch 5 and done the same.

I just discussed with TAC Engineer and sent ise-support-bundle logs before and after the issue was raised.

waiting for his response to know exact cause of the problem.

wander is before patch 5 up gradation it self, problem has resolved.

only that day getting issue with NAC agent. next day I just tried in test systems its running well..