topic Andre-I am afraid you don't in Network Access Control

Access with ISE server dead

andre.ortega — Mon, 11 Mar 2019 05:26:47 GMT

Hello there,
I´d like to know how to give access for users when ISE is dead.
I´m asking that because I´m using pre authentication ACL, so even with the command authentication event server dead action authorize vlan XX the access will be limited, will not it?

My pre authentication acl allow access only to ISE, DNS and DHCP requests.

Regards.

Hi Andre-Can you tell me:-

nspasov — Sat, 14 Feb 2015 01:07:35 GMT

Hi Andre-

Can you tell me:

- Model of switches used

- Version of code running

- Image running (IP Base, IP Services, etc)

Thank you for rating helpful posts!

You could use a preauth ACL

Peter Koltl — Sun, 15 Feb 2015 16:58:28 GMT

You could use a preauth ACL of 'permit ip any any'. As long as ISE is functioning it can assign a tailored dynamic ACL for both a 802.1X-enabled endpoint and another (more restrictive) ACL for nonresponsive (MAB) endpoint according to the authorization rules.

If the ISE fails, the authentication event server dead action authorize vlan command places the port into a suitable critical VLAN.

Hi Peter,my pre

andre.ortega — Wed, 18 Feb 2015 22:55:23 GMT

Hi Peter,

my pre authentication ACL only allow access to ISE, DNS and DHCP requests.

If the ISE fails and I put the users on a critical VLAN the ACL will still limiting the access, right?

Hello Neno,- Model of

andre.ortega — Wed, 18 Feb 2015 23:18:10 GMT

Hello Neno,

- Model of switches used: 2960

- Version of code running: 12.2(55)SE3

- Image running (IP Base, IP Services, etc): IP Base.

Andre-I am afraid you don't

nspasov — Thu, 19 Feb 2015 02:31:27 GMT

Andre-

I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:

1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens 🙂

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

eem script example:

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage.

I hope this helps!

Thank you for rating helpful posts!

Thanks Neno,I´ll try an EEM.

andre.ortega — Thu, 19 Feb 2015 15:18:38 GMT

Thanks Neno,

I´ll try an EEM.