Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
10
Helpful
3
Replies

802.1x Limitation

Go to solution
Ricky Sandhu
Level 3
Level 3

‎01-19-2019 06:30 AM

Since my old topic about the frequency of 802.1x Wired deployments in the industry was already answered, I decided to start the next discussion of another question that poped in my head.  Today as I was playing with this stuff I realized the limitation of an 802.1x solution.  The NADs must always have visibility of the RADIUS (ISE) server.  This is a bit concerning because I have nearly a 100 branch offices where I am planning to deploy 802.1x for wired ethernet.  These offices connect to the Data Center over a DMVPN topology over the Internet.  As it happens quite frequently, internet goes down at a given site.  This causes VPN tunnels to drop and loss of all connectivity with the DC where ISE server is deployed.  We have backup connectivity over cellular however that's also location dependent and may not always come up.  We could add a secondary ISP however sometimes separate ISPs still use the same last-mile carrier and if the problem is with that carrier itself, we're dead in water.  (It's happened a few times).  A situation such as this would break not only WAN connectivity but also LAN connectivity.  Typically our users, if for some reason drop WAN connectivity, they can continue to work on LAN servers.  However now they won't even be able to do that which would cause a *hitloads of new headaches.

Is there another way out of this?  I understand redundancy of connectivity is the answer but we don't have MPLS and are strictly Internet dependent.  

 

0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-19-2019 06:38 AM

This is a switching question, if RADIUS server not available, then what?

CRITICAL AUTH
http://cs.co/ise-guides
look under cisco switches
https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId--1848705051

Cisco ISE Secure Wired Access Prescriptive Deployment Guide<>
https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

Go to solution
Ricky Sandhu
Level 3
Level 3
In response to Jason Kunst

‎01-19-2019 06:49 AM

Thank you.  This is exactly what I was looking for.  

 

Critical Authentication

In closed mode, the endpoints do not have network access unless they authenticate successfully or are given fail open access because of ISE authorization policy. What if the ISE server itself is unreachable? The best practice recommendation is therefore, to configure the fail open access locally on the switch.

 

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Ricky Sandhu

‎01-20-2019 12:13 AM - edited ‎01-20-2019 12:19 AM

Keep in mind:

 

If you value that your endpoints authenticate via 802.1x even during a WAN outage, you should consider other options. Critical VLANs are a compromise and not a secure business continuity plan. Minimizing single points of failure should be an objective for any branch site of importance. 

 

Even if the last mile is the same infrastructure between different ISPs, having different ISPs is still a better MTBF. Other things you can consider is duplicating your WAN gear at the branches and/or PSUs on the routers. 

 

If you do choose to take up another ISP, you may want to take a look at SD-WAN solutions.

Customers Also Viewed These Support Documents