topic Re: Cisco ISE Permit All Rule in Network Access Control

Cisco ISE Permit All Rule

77corJ — Thu, 31 Aug 2017 14:00:38 GMT

Hello All,

I'm having problems with authentication latency between my PSN nodes and my Domain Controllers. The problem is causing thousands of failed DOT1X/MAB sessions. My question is, is there any way to put a rule in my policies that will bypass any AD lookups and just allow every session to authenticate?

Re: Cisco ISE Permit All Rule

Craig Hyps — Thu, 31 Aug 2017 16:51:47 GMT

Obviously a lager issue going on for which you may need TAC support.

You could place a rule at top of existing Authorization policy that matches any and permits full access, but that will not address failed 802.1X auth protocols that will not support a "Continue" option in Authentication policy. If switches configured for MAB fallback, then could disable 1X rule and expect all auth events to hot MAB and then use permit all rule to grant access. If looking for a quick access option, you may be able to simple block access to ISE RADIUS service. If switch is configured for a Critical VLAN or ACL that grants required access, then switch can handle locally by detected AAA as down. On the switch side, you could switch to monitor mode but that entails config changes on NAD which may be operationally intensive.

If specific issue with AD, then remove AD from ID sequence to short cut to next ID store and disable (not delete) rules based on AD lookup.

/Craig

Re: Cisco ISE Permit All Rule

paul — Fri, 01 Sep 2017 03:58:35 GMT

On wired auth, if you want another quick way to bypass 802.1x and you are using discreet policy sets (like you should be) then simply change your Wired 802.1x policy set's authentication condition to Deny Access which will cause the switch to fail over to MAB then make sure your MAB rules allow on all traffic.