Solved: Access network when Cisco ISE down or switch can't connect to ISE

quangle1993 · ‎09-29-2017

Hi everyone,

I have this situation :
Headquarter in City A with Cisco ISE

Office in City B with Switch, no local IT

If ISE down or connection between ISE and Switch lost and the switch cant communicate with ISE, user in Office can't access to network. They cann't even use the printer, ipphone in their office. They can do nothing. This is unacceptable cause it impact to business too much.

I want to ask are there any way to let user access to network when ISE down or switch can't communicate with ISE. But when ISE work fine and the Switch can connect to ISE. Every user must authentication to get access.

Many thanks

Quang

Francesco Molino · ‎11-19-2017

Hi

Can you share a debug aaa to see what's going on? Are you sure the switch isn't able to reach ise? Can you run a ping from the switch and test aaa command

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Rob Ingram · ‎12-12-2018

Hi,
Yes, your thinking is correct. In my previous experience you don't need to specify "vlan x" and the end of the command, as if the radius server is marked dead it will authorize in the current configured vlan.

HTH

View solution in original post

Francesco Molino · ‎09-29-2017

Hi

When ISE server is not reachable from the switch, the switch will put the status dead to its radius server.
Then with the following commands you can give access to users trying to authenticate. Those commands are setup on the interface config:

authentication event server dead action authorize vlan vlan-id
authentication event server dead action authorize voice

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

quangle1993 · ‎09-29-2017

Thanks Francesco

"Then with the following commands you can give access to users trying to authenticate. " I don't really get your point. You mean we can only configure the command after the issue happen or can enter it before. Cause in office, there is no Local IT

Francesco Molino · ‎09-29-2017

Sorry if i misspelled something.

You can configure it remotely now and when the radius server won't be reachable those commands will be used. You have to get configured before an issue arrives.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

quangle1993 · ‎11-19-2017

Hi i already try commands above but it not working. Switch keep trying to reauthentication. And syslog on Switch say :

Radius server is responding again ....

Radisus server is mark alive ...

But this is impossible cause i was unplug the cable between Sw and ISE. How can Sw receive ISE respond.

Francesco Molino · ‎11-19-2017

Hi

Can you share a debug aaa to see what's going on? Are you sure the switch isn't able to reach ise? Can you run a ping from the switch and test aaa command

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

quangle1993 · ‎11-19-2017

Here is some logs. Interface f0/23 is the interface that connect to ISE.

SW1(config)#int f0/23
SW1(config-if)#shu
SW1(config-if)#shutdown
SW1(config-if)#
*Mar 4 01:01:03.978: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan195, changed state to down
*Mar 4 01:01:03.978: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to down
*Mar 4 01:01:04.968: %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down
SW1(config-if)#
*Mar 4 01:01:05.974: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to down
SW1(config-if)#exit
SW1(config)#
*Mar 4 01:01:16.099: %ILPOWER-5-POWER_GRANTED: Interface Fa0/3: Power granted
SW1(config)#
*Mar 4 01:01:20.059: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
*Mar 4 01:01:21.065: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
SW1(config)#
*Mar 4 01:01:33.179: %AUTHMGR-5-START: Starting 'dot1x' for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:01:49.058: %DOT1X-5-FAIL: Authentication failed for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
*Mar 4 01:01:49.058: %AUTHMGR-5-START: Starting 'mab' for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:01:54.226: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.20.250:1812,1813 is not responding.
SW1(config)#
*Mar 4 01:02:13.486: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 46.
*Mar 4 01:02:13.486: %MAB-5-FAIL: Authentication failed for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:02:13.486: %AUTHMGR-5-FAIL: Authorization failed for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:02:54.229: %RADIUS-6-SERVERALIVE: Group radius: Radius server 192.168.20.250:1812,1813 is responding again (previously dead).
SW1(config)#
*Mar 4 01:02:54.229: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.20.250:1812,1813 is being marked alive.
SW1(config)#
*Mar 4 01:03:14.194: %AUTHMGR-5-START: Starting 'dot1x' for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:03:45.081: %DOT1X-5-FAIL: Authentication failed for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
*Mar 4 01:03:45.081: %AUTHMGR-5-START: Starting 'mab' for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:03:54.342: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.20.250:1812,1813 is not responding.
SW1(config)#
*Mar 4 01:04:14.206: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 47.
*Mar 4 01:04:14.206: %MAB-5-FAIL: Authentication failed for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:04:14.206: %AUTHMGR-5-FAIL: Authorization failed for client (0007.0e6c.e32c) on Interface Fa0/3 AuditSessionID C0A81414000000150FAB3376
SW1(config)#
*Mar 4 01:04:54.346: %RADIUS-6-SERVERALIVE: Group radius: Radius server 192.168.20.250:1812,1813 is responding again (previously dead).
SW1(config)#
*Mar 4 01:04:54.346: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.20.250:1812,1813 is being marked alive.
SW1(config)#

Francesco Molino · ‎11-21-2017

Hi

On your output we see that authentication fails and your server radius is going dead and right after alive again.

How you're testing it? If it's in lab, then simply shutdown the server. If it's in prod, use a username that doesn't exists in your database and configure your radius to do the authentication in case user isn't found

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

quangle1993 · ‎11-21-2017

It a Lab, i install ISE on my laptop, i have a Sw and IP-phone. Physical topology just like this :

ISE(my laptop)----SW----IPphone.

For testing, i unplug the cable between my laptop or on Sw i shutdown the port connect to ISE, the SW and ISE never can communication when i do this right ? Really have no idea why Radius Server alive again.

Francesco Molino · ‎11-21-2017

If the cable is unplugged or the port shutdown, ISE should not be reachable.
If the switch see it alive that means it's still connected.

What are you trying to authenticate when ise is down? Phone or your machine?

You can do the test by shutting down the VM

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

quangle1993 · ‎11-21-2017

It a IP-phone but same result with laptop. Ok i will try shutdown the VM. Last time, after shutdown portorr unplug cable to ISE. I plug IP=phone to Switch

quangle1993 · ‎11-21-2017

It a IP-phone but same result with laptop. Ok i will try shutdown the VM. Last time, after shutdown portorr unplug cable to ISE. I plug IP=phone to Switch.

Ditter · ‎12-12-2018

Hi to all,

just looking in these old threads about ISE getting dead and i would like to ask about the following command:

authentication event server dead action authorize vlan vlan-id

In case the port is already configured with access vlan i.e. vlan 50 do i need to configure the above command?

Or the above command is needed in case you want to override the port configured access vlan?

Thanks,

Ditter.

Rob Ingram · ‎12-12-2018

Hi,
Yes, your thinking is correct. In my previous experience you don't need to specify "vlan x" and the end of the command, as if the radius server is marked dead it will authorize in the current configured vlan.

HTH

Ditter · ‎12-13-2018

Thanks.

I also noticed that you can also configure the following interface commands:

authentication event fail action next-method

authentication event fail action authorize vlan

How are these two commands above different from :

authentication event server dead action authorize vlan

Should they also be configured on the interface or the "authentication event server dead action authorize vlan" will suffice?

Thanks,

Ditter