topic Re: Breakglass Procedure for Cisco ISE in Network Access Control

Breakglass Procedure for Cisco ISE

sreng — Mon, 06 Jun 2022 15:14:17 GMT

Hi Team,

I am thinking of coming up with plans and ideas to form a procedure for how we can disable the Network Access Control of Cisco ISE entirely (in my case, it is wired 802.1x and VPN integration with FTD) in the event of a disaster of every node in the deployment going down.

The idea here is that NAC would not be a block-point to businesses.
After NAC has been removed during the disaster, businesses can go on with traditional network access.

If anyone has been in this situation, could you kindly share your insight and advice on how to achieve this?

Thanks and regards,
Sreng

Re: Breakglass Procedure for Cisco ISE

Mark Elsen — Mon, 06 Jun 2022 15:43:19 GMT

>... businesses can go on with traditional network access.

This is not a normal deployment method and or emergency action for ISE, meaning simply that in practice this is 'not done', as far as the phrase above , will business go on ? Doubt it what if legitimate network access is cracked during that period too. You put your business and business critical information at risk, amongst other arguments.

Re: Breakglass Procedure for Cisco ISE

andrewswanson — Mon, 06 Jun 2022 15:53:11 GMT

I'm looking at a similar solution for a "Critical Authentication" event in an ibns 2 environment using TrustSec. An excerpt from the Identity Control Policy on the switches is below (entries in bold show what the policy is when AAA is unavailable). I'm testing this with an ACL applied on the uplink of the switch (this acl drops all traffic to/from ISE to simulate ISE being unavailable).

Its working well but I still have to consider that if ISE is totally unavailable, then:

Cisco Trustsec Environment data will eventually timeout an be lost from all the switches.
SXP connections will also be lost.

I'm looking at having vague/generic VLAN assigned SGTs with local policies on the switches - when ISE is available, ISE SGT assignment and policy will take precedence over them. But if ISE fails, these SGTs and policies will become active.

hth
Andy

event session-started match-all
10 class always do-until-failure
10 activate service-template PREAUTH
20 class always do-until-failure
20 authenticate using dot1x retries 3 retry-time 30 priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
30 activate service-template CRITICAL-SGT replace-all
40 authorize
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
30 activate service-template CRITICAL-SGT replace-all
40 authorize
30 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 65535
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 65535
60 class always do-until-failure
10 terminate dot1x
30 authentication-restart 65535
event agent-found match-all
10 class always do-until-failure
20 authenticate using dot1x retries 3 retry-time 30 priority 10
event aaa-available match-all
10 class always do-until-failure
10 clear-session

Re: Breakglass Procedure for Cisco ISE

Mohammed al Baqari — Mon, 06 Jun 2022 15:59:19 GMT

Hi,

You can use critical VLAN option. I have seen cases where people use EEM to
deploy limited-access-acls in case of radius servers down. This way they
get limited access until ISE restored (such http and https, dns, dhcp, no
lan access, etc).

But as mentioned in other posts, there is always a risk factor which you
need to evaluate.

***** please remember to rate useful posts

Re: Breakglass Procedure for Cisco ISE

ahollifield — Mon, 06 Jun 2022 16:53:26 GMT

Wired 802.1X you can use critical-auth-vlan or take a number of different actions when the RADIUS servers are down. For VPN, there is no concept of "fail-open". Even it was possible, would you REALLY want to open your VPN inbound to the entire internet with zero authentication???

Re: Breakglass Procedure for Cisco ISE

jmcgrady1 — Mon, 18 Jul 2022 07:26:53 GMT

We are looking at this same question for a client. We have found ISE to be a not completely robust solution, and recently lost both nodes. ISE is used for network access control for wired clients on Cisco switches. The impact of the client's network grinding to a halt is much larger than the security risk of bypassing ISE for a time. We are investigating the use of critical vlan.

Re: Breakglass Procedure for Cisco ISE

Mark Elsen — Mon, 18 Jul 2022 08:21:13 GMT

>...and recently lost both nodes

Find out 1) why . 2) how and 3) resolve. It also will increase your knowledge to deal with further ise incidents and perform stronger ise management (too). If ISE is being used consider it business critical , that's a choice of IT and according to me a good one. Taking emergency solutions then becomes bad practice.