cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

713
Views
25
Helpful
6
Replies

Allowing access if ISE is down in Wireless

Greetings,

 

Could you advise how to set fail open in the 9800 WLC when ISE is down ?

 

Thanks,

Edouard.

2 ACCEPTED SOLUTIONS

Accepted Solutions
thomas
Cisco Employee

"Fail Open" is generally a bad security practice for wireless networks. Better to let people use Guest services for internet access.

Best is to simply deploy a highly available ISE deployment so this doesn't happen.

View solution in original post

howon
Cisco Employee

This is fancier than what you may be looking for as it only brings up the SSID in case ISE is down. This is important as if you have the backup PSK SSID always up, the user may favor it instead of the main 802.1X SSID:

https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

 

View solution in original post

6 REPLIES 6
Amine ZAKARIA
Beginner

Hello,

You can create a Fallback SSID with Preshared-Key which is not used by RADIUS and disable it, until your ISE deployment goes down and enable it.

Hi Amine,

 

But the supplicant has already been set to use the certificate. You mean to create a fallback SSID with PSK using a different name.

 

Please advise.

Hello,

Yes of course with a different SSID Name. 

thomas
Cisco Employee

"Fail Open" is generally a bad security practice for wireless networks. Better to let people use Guest services for internet access.

Best is to simply deploy a highly available ISE deployment so this doesn't happen.

View solution in original post

Thanks Thomas, Our design is ISE in HA mode and I wanted to know if was possible to failback from certificate-based authentication to PSK authentication in case both PSN are down.

 

I know it is possible in the wired scope, so I was wondering it was possible in the in wireless scope.

 

Thanks,

howon
Cisco Employee

This is fancier than what you may be looking for as it only brings up the SSID in case ISE is down. This is important as if you have the backup PSK SSID always up, the user may favor it instead of the main 802.1X SSID:

https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

 

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel