Alex,

Thanks for the suggestion! But I'm gonna go with an EEM script as a last resort. I'm hoping someone here in the security space knows of a solution that Cisco has already coded in and it just requires a command or an understanding of authentication feature set that I don't have. The concept of Low Impact mode on 802.1X ports is not very new nor is the "dead action authorize" behavior so I would assume Cisco has thought of something here.

Thanks for your suggestion though!

Mark

Alex,

With the info grgibbs gave below its clear your answer is correct. Also, I like your syslog approach better than the route tracking provided in the Cisco live doc chyps provided. It's not perfect as it doesn't track both syslog servers though that could be improved on with a couple of tracking objects and another script to mark that objects down for each individual server. I don't think I would bother going that hardcore on it though.

Thx for your info and your answer!

Mark

The Live session provides examples of both tracking and syslog options.  I found the syslog option a bit troublesome in practice and so also offered option to track ALLDEADSERVER but even that did not seem as full proof as tracking reachability.  The session also includes simple IBNS 2.0 examples, and agree with recommendation to review the Live session from Hari on Session Aware Networking (BRKSEC-2691 or 2692).

Note that DNA-C will be based on IBNS 2.0 as it will help add the high-value benefits of IBNS 2.0 while removing the complexities of the advanced configurations.

Thanks Chyps!

The more I think about it the more I think the syslog option would not be all that great either. Though I'm not sure I like the route tracking option I saw in the BRKSEC-3699 slide deck. I think an IP SLA option with a tracking object would be better. Maybe track both of the ISE PSNs with individual tracks and then have a track object that tracks the states of the two other tracks? To an extent though all of these ways are pretty messy.

I do agree the C3PL is cleaner about this. And from what you guys have been saying it is the way forward (or at least until DNA-C). So I'll have lab it up and learn it. I'll probably look to implement it on my next big greenfield. The more I look at it the policy seems a little long but it makes sense as long as you know the auth process. And its probably pretty much copy/paste once you learn it well enough. Also, you definitely save on lines of config over all. Not too mention who doesn't hate port configs that are so long they take up almost the whole pager.

Thanks!

Mark

You may also want to review the last section of BRKSEC-3699 which reviews failover for this scenario.  It covers sample EEM scripts, use of IBNS 2.0 as well as other options to handle this scenario.  Reference version of session is posted to CiscoLive.com - latest version from Barcelona 2018.

Thanks, Chyps!

I'm going to totally watch that VOD when I get a chance. I did skim the slide deck and saw the eem and C3PL answers you mentioned. Thanks for your help, dude!

Mark

Grgibbs,

Amazing answer! Sorry I gave the correct answer to Alex as he was right first. If I could have given two I would have certainly gave you one too. The docs were great. I'm going to see if I can find the video on that live presentation when I get chance. So far I just skimmed through the slide deck.

The IBNS 2.0 doc definitely gives the type of answer I was looking for for Critical ACL fallback. And my switches have new enough code to support it on this project. That said, I found that you have to convert all your authentication code to the new format to use the critical ACL functionality....which is problematic in the least. Also, the policy maps look absolutely heinous to configure. I know you can convert it but that's not really my style (being a ccie and consultant, I am expected to know it). I need to lab up that new format extensively before I can deploy that to my customers if I decide to.

What I found really odd was the IBNS 2.0 doc is dated 2013 for its last update. But I haven't see any ISE training or documentation reference this identity access format in switches. I have been learning and labbing ISE for a about a year now. Nothing I have read or watched mentioned this new format. Not the ISE device configuration references (Cisco Identity Services Engine Administrator Guide, Release 2.3 - Switch and Wireless LAN Controller Configuration Requ…) or the SISAS cisco official VOD class, or anything else I have read...So did this configuration model not catch on as far as you know? It does seem overly complicated like a lot of Cisco's configuration methodologies that use way too much policy/class hierarchy (ZBF, PFR, etc).

The Demystifying Radius server configurations seems great. I'm gonna give that a read to. I was already using the automate-tester command but I added the "probe-on" into my template. It totally makes sense for bigger deployments. No need to have a crap ton of radius probes running all the time. I also added the "radius-server deadtime 10". It defaulting to zero would have really messed up a script based on the syslog messages. Thanks a million for mentioning that behavior!!

Thanks!

Mark

Hi Mark,

IBNS 2.0 has been around for awhile. It did have a slow adoption as some of the bugs were worked out, but has become general best practice for greenfield deployments by Cisco Advanced Services. It does take some getting used to and adds a bit of complexity, but it also solves some of the inherent problems in the legacy IBNS functions.

It also reduces a lot of configuration bloat as you configure the policy one place and simply attach it as a template to the interfaces.

It's a couple of years old, but there is a really good Cisco Live presentation on IBNS 2.0 that breaks down a lot of the structure and functionality.

IBNS 2.0: New-style 802.1X and more - BRKSEC-2691

Cheers,

Greg

Thx, Greg! That is the one thing that seemed nice about it....a lot less port config. I'll give it a watch and see about using it on my next project! Thanks for the info!

Mark

Sent from my android phone. Please excuse my brevity.