topic Re: Lose connection between access switch and ISE servers in Network Access Control

Lose connection between access switch and ISE servers

dcasey — Tue, 01 Apr 2025 14:51:45 GMT

I'm migrating from an older WS-C3750X switch stack over to a C9300 switch stack. The C9300 switch stack is configured the same as the existing stack and will be racked up, stacking cabled up, and powered up alongside the existing switch. To minimize downtime in this medical environment, I'm going to shut down the management VLAN of the WS-C3750X switch stack and bring the C9300 switch stack onto the network. This will allow me to move the RJ-45 connections one at a time from the old to the new and the biggest impact to the end-users will be a momentary loss of connection or waiting for a VoIP device to reboot.

My question is, when I shut down the management VLAN interface on the old switch stack it will lose connection to the ISE servers. I realize no new connections will be authenticated but I wanted to make sure existing connections will continue to be authorized until their timer runs out. In short, I want to make sure that loss of connection to the ISE servers won't cause existing connections to switch to unauthorized and stop passing traffic.

Thank you!

Re: Lose connection between access switch and ISE servers

Mark Elsen — Tue, 01 Apr 2025 15:33:50 GMT

- But in the end they will become unauthorized when the  reauthentication timer interval expires
and the radius servers can no longer be reached.
On the switch the reauthentication timer interval (session timer) can be downloaded to the switch
from the RADIUS server using :  Sw(config-if)#authentication timer reauthenticate server
For the settings on ISE (radius) checkout  https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315595/highlight/true#M96972

But then one sufficient high timer value should have been provisioned on the previous authentication of the device.
That there will be no troubles can not be guaranteed in my opinion. Consider a flow for dedicated migrating of
equipment to the new stack taking into account the medical environment,

Re: Lose connection between access switch and ISE servers

MHM Cisco World — Tue, 01 Apr 2025 16:01:17 GMT

You can not do that

Re-auth happened when timer end or interface is up/down

When you disconnect device from SW-A and connect it to SW-B the SW-B will treat it as new auth even if timer is not end yet.

What you want is open port for 802.1x and then close port for 802.1x one by one.

It risky but there are no other options

Sorry

MHM

Re: Lose connection between access switch and ISE servers

dcasey — Tue, 01 Apr 2025 16:07:19 GMT

That is how I understood it I just needed a sanity check to make sure before I say one thing and something else happens. Thank you!

Re: Lose connection between access switch and ISE servers

dcasey — Tue, 01 Apr 2025 16:09:09 GMT

"When you disconnect device from SW-A and connect it to SW-B the SW-B will treat it as new auth even if timer is not end yet."

That's actually perfect and what I want. I just wanted to make sure if I shut down the management VLAN interface on the old switch stack (so I could bring the new switch stack online using the same management IP address) the connected devices on the old switch stack wouldn't all go unauthorized immediately. Once I move the RJ-45 cable from the old to the new stack I'm fine with them going through the authorization process again and being able to pass traffic.

Thank you for your reply!

Re: Lose connection between access switch and ISE servers

MHM Cisco World — Tue, 01 Apr 2025 16:17:48 GMT

Let me check log off message.

I will update you if I get something useful.

MHM