https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4073095#M559865 <P>Hi Damien,<BR /><BR />Thanks for you assistance, it took me a while to test this and to be honest, IBNS2.0 is a bit tricky to get your head around after being used to the 'old' ways....but it now looks to be working well.<BR /><BR />Thanks again.</P> Fri, 24 Apr 2020 07:34:38 GMT ShaunGreen 2020-04-24T07:34:38Z https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4068333#M559714 <P>Dear All,<BR /><BR />We are using IBNS 2.0 with dot1x and mab.<BR /><BR />Everything so far is working in our testing and when we simulate an ISE failure the Critical service template allows the end hosts access to the network.<BR /><BR />When the ISE server comes back online, the dot1x hosts re-authenticate and pickup their correct policy sets.<BR /><BR />But the MAB (profiled) devices stay in the Critical state.<BR /><BR />Does anyone know the best procedure to automatically re-authenticate these devices once the ISE server is back online?<BR /><BR />Thanks in advance.</P> Fri, 17 Apr 2020 18:40:35 GMT https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4068333#M559714 ShaunGreen 2020-04-17T18:40:35Z https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4068904#M559733 <P>Please attach the "sh tech" output from the switch.</P> Sun, 19 Apr 2020 00:28:47 GMT https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4068904#M559733 poongarg 2020-04-19T00:28:47Z https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4069452#M559760 <P>Hi, Thanks for your interest.<BR /><BR /></P><P>To give some more information, I closed down the ISE application on Friday evening. Everything failed over using the 'Critical' service template (screen shot below).<BR /><BR />When the Radius servers are back online, the dot1x hosts re-autenticate, but the MAB profiled devices are still staying on the Critical service template.<BR /><BR />We could manually carry out a COA from ISE for these hosts, but I'm wondering if there is a way to configure re-authentication once the ISE is up and running without manual intervention?<BR /><BR />Code is 16.9.4</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 20 Apr 2020 07:05:43 GMT https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4069452#M559760 ShaunGreen 2020-04-20T07:05:43Z https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4069850#M559772 <P>It appears you may be missing policy required to resume authentication once AAA comes back online, you need to exit critical auth.&nbsp;If you follow Hari's secure wired access prescriptive guide you can see how this could be done. <BR /><A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A></P> <P>ex.&nbsp;<BR />"event aaa-available match-all<BR />10 class IN_CRITICAL_AUTH do-until-failure<BR />10 clear-session<BR />20 class NOT_IN_CRITICAL_AUTH do-until-failure<BR />10 resume reauthentication"<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Table7.png" style="width: 880px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/72290i1AC90EAD775F51BF/image-dimensions/880x686?v=v2" width="880" height="686" role="button" title="Table7.png" alt="Table7.png" /></span></P> Mon, 20 Apr 2020 15:34:17 GMT https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4069850#M559772 Damien Miller 2020-04-20T15:34:17Z https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4073095#M559865 <P>Hi Damien,<BR /><BR />Thanks for you assistance, it took me a while to test this and to be honest, IBNS2.0 is a bit tricky to get your head around after being used to the 'old' ways....but it now looks to be working well.<BR /><BR />Thanks again.</P> Fri, 24 Apr 2020 07:34:38 GMT https://community.cisco.com/t5/network-access-control/re-authenticate-end-hosts-after-ise-failure/m-p/4073095#M559865 ShaunGreen 2020-04-24T07:34:38Z