topic Re: ISE Behaviour if Server down - Fail Open? in Network Access Control

ISE Behaviour if Server down - Fail Open?

roger perkin — Fri, 21 Feb 2020 18:45:44 GMT

I want to understand the switchport or ISE config required that if switch cannot contact ISE server that the authentication fails open

I believe it's called Fail Open, but I want to make sure if the ISE server is unreachable that user still connects to VLAN configured on port

Thanks

Re: ISE Behaviour if Server down - Fail Open?

Rob Ingram — Thu, 15 Feb 2018 20:35:51 GMT

Hi Roger,

Try these interface level commands:

authentication event server dead action reinitialize vlan X
authentication event server dead action authorize voice

authentication event server alive action reinitialize

// You will need the global dead-time criteria set in order to detect a dead AAA server

radius-server dead-criteria time 3 tries 2

HTH

Re: ISE Behaviour if Server down - Fail Open?

roger perkin — Thu, 15 Feb 2018 21:03:08 GMT

Thanks,

So to be clear

global command

radius-server dead-criteria time 3 tries 2

Wait 2 x 3 seconds before marking Radius Server as dead

Interface command

authentication event server dead action reinitialize vlan X

If Radius server is dead reinitialise the port into vlan X (Could be another VLAN or could be same access VLAN)

authentication event server dead action authorize voice

If Radius server is dead - allow voice vlan

authentication event server alive action reinitialize

When the Radius server comes online - reinitialize authentications

So if I have 2 Radius Servers with the above configuration it would try ISE 1 for 6 seconds and then ISE 2 for 6 seconds and then reinitialize port into specified VLAN

Thanks

Re: ISE Behaviour if Server down - Fail Open?

georgehewittuk1 — Mon, 05 Mar 2018 16:43:09 GMT

Hello Guys,

I got a question on this. If = "authentication event server alive action reinitialize" is not included in switchport configuration what will be the behaviour? Will it not go back to authentication from the ISE until restarted?

Thanks
George

Re: ISE Behaviour if Server down - Fail Open?

agrissimanis — Wed, 07 Mar 2018 16:49:49 GMT

Without "authentication event server alive action reinitialize" the endpoint will stay in critical auth until re-authenticated for some other reason. That command forces re-authentication when RADIUS server becomes available again.

For fail open, I have the following two commands:

authentication event server dead action authorize (if you don't put vlan X at the end here, it will fail-open to whatever vlan is configured on the port)
authentication event server dead action authorize voice

Re: ISE Behaviour if Server down - Fail Open?

georgehewittuk1 — Wed, 07 Mar 2018 16:56:56 GMT

Thanks for the reply - When you say the endpoint (port) stays in critical auth until re-autentication. The behaviour of the authentication command is this until a new host is connected or after so long a time? Its not so clear in my mind if you can shed some light.

Thanks again

Re: ISE Behaviour if Server down - Fail Open?

agrissimanis — Wed, 07 Mar 2018 19:03:23 GMT

Absolutely, if a new host was connected to the port then there would be a new authentication event, and if the radius server is up at that point then the request would go to ISE. Or if you have a periodic re-authentication enabled then the old host would get re-authenticated when the timer expires. That command re-authenticates endpoints in critical auth when at least one RADIUS server becomes available.