https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762416#M579407 <P>I'm looking to see if it's possible for a C9300 to authenticate/authorize endpoints with certificates signed by a trusted CA while ISE is down. Below is my current policy-map for ISE being down</P><P>event authentication-failure match-first<BR />10 class ISE_SVR_DOWN_AUTHD_HOST do-until-failure<BR />10 pause reauthentication<BR />20 authorize<BR />20 class ISE_SVR_DOWN_UNAUTHD_HOST do-until-failure<BR />10 activate service-template Internet-Only-Template</P><P>class ISE_SVR_DOWN_AUTHD_HOST is matching "result-type aaa timeout" and "authorization-status authorized" to maintain the current authorization status of an endpoint, whether it's a workstation, VoIP, wired IoT, etc.</P><P>class ISE_SVR_DOWN_UNAUTHD_HOST is matching "result-type aaa timeout" and "authorization-status unauthorized" which will activate a template that denies traffic to private IPs (excluding DHCP) and allows internet-traffic for wired guests.</P><P>This has worked well so far, but a power-failure event on the switch will eliminate the authorized status of endpoints. If this happens, corporate endpoints are only able to reach the internet. I'm trying to avoid re-initiated VLANs as there's no telling if a guest or corporate endpoint is connected on the switch interface.</P><P>Is there a way to have the 9300 check for certificates and authorize devices based on certificates signed by a trusted CA?</P> Wed, 25 Jan 2023 20:49:06 GMT Kacker 2023-01-25T20:49:06Z https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762416#M579407 <P>I'm looking to see if it's possible for a C9300 to authenticate/authorize endpoints with certificates signed by a trusted CA while ISE is down. Below is my current policy-map for ISE being down</P><P>event authentication-failure match-first<BR />10 class ISE_SVR_DOWN_AUTHD_HOST do-until-failure<BR />10 pause reauthentication<BR />20 authorize<BR />20 class ISE_SVR_DOWN_UNAUTHD_HOST do-until-failure<BR />10 activate service-template Internet-Only-Template</P><P>class ISE_SVR_DOWN_AUTHD_HOST is matching "result-type aaa timeout" and "authorization-status authorized" to maintain the current authorization status of an endpoint, whether it's a workstation, VoIP, wired IoT, etc.</P><P>class ISE_SVR_DOWN_UNAUTHD_HOST is matching "result-type aaa timeout" and "authorization-status unauthorized" which will activate a template that denies traffic to private IPs (excluding DHCP) and allows internet-traffic for wired guests.</P><P>This has worked well so far, but a power-failure event on the switch will eliminate the authorized status of endpoints. If this happens, corporate endpoints are only able to reach the internet. I'm trying to avoid re-initiated VLANs as there's no telling if a guest or corporate endpoint is connected on the switch interface.</P><P>Is there a way to have the 9300 check for certificates and authorize devices based on certificates signed by a trusted CA?</P> Wed, 25 Jan 2023 20:49:06 GMT https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762416#M579407 Kacker 2023-01-25T20:49:06Z https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762432#M579408 <P>No, the switch does not terminate EAP.</P> Wed, 25 Jan 2023 21:16:37 GMT https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762432#M579408 ahollifield 2023-01-25T21:16:37Z https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762443#M579409 <P>Thank you for your response. Knowing this, do you have an recommendations for allowing access to corporate VLANs during an ISE outage without allowing unintended guests access to the same VLAN?</P> Wed, 25 Jan 2023 21:52:45 GMT https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762443#M579409 Kacker 2023-01-25T21:52:45Z https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762450#M579411 <P>A couple of options:</P> <UL> <LI>Apply an ACL that is a balance of necessary corporate access while not being totally open to potential guest endpoints</LI> <LI>Statically configure VLANs/Access for guest endpoints (don't rely on ISE to assign if this endpoint is guest or not).</LI> <LI>Accept this as a security risk if ISE is down.&nbsp; Have proper HA/distributed deployment to handle any ISE outages.&nbsp; Also a robust WAN with proper failover to mitigate.&nbsp;</LI> </UL> Wed, 25 Jan 2023 22:17:53 GMT https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762450#M579411 ahollifield 2023-01-25T22:17:53Z https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762452#M579412 <P>I appreciate the helpful tips. It seems this will be an accepted risk considering the scenario. Thank you for the feedback!</P> Wed, 25 Jan 2023 22:26:12 GMT https://community.cisco.com/t5/network-access-control/authenticate-endpoints-using-trusted-certificate-while-ise-is/m-p/4762452#M579412 Kacker 2023-01-25T22:26:12Z