Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2534
Views
25
Helpful
6
Replies

Allowing access if ISE is down in Wireless

Go to solution
EdouardZorrilla0939
Level 1
Level 1

‎07-30-2021 07:27 AM

Greetings,

 

Could you advise how to set fail open in the 9800 WLC when ISE is down ?

 

Thanks,

Edouard.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-04-2021 10:49 AM

"Fail Open" is generally a bad security practice for wireless networks. Better to let people use Guest services for internet access.

Best is to simply deploy a highly available ISE deployment so this doesn't happen.

View solution in original post

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-04-2021 11:28 AM - edited ‎08-04-2021 11:29 AM

This is fancier than what you may be looking for as it only brings up the SSID in case ISE is down. This is important as if you have the backup PSK SSID always up, the user may favor it instead of the main 802.1X SSID:

https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

 

View solution in original post

6 Replies 6

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎07-30-2021 09:41 AM

Hello,

You can create a Fallback SSID with Preshared-Key which is not used by RADIUS and disable it, until your ISE deployment goes down and enable it.

Go to solution
EdouardZorrilla0939
Level 1
Level 1
In response to Amine ZAKARIA

‎07-30-2021 12:18 PM

Hi Amine,

 

But the supplicant has already been set to use the certificate. You mean to create a fallback SSID with PSK using a different name.

 

Please advise.

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to EdouardZorrilla0939

‎07-30-2021 12:21 PM

Hello,

Yes of course with a different SSID Name. 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-04-2021 10:49 AM

"Fail Open" is generally a bad security practice for wireless networks. Better to let people use Guest services for internet access.

Best is to simply deploy a highly available ISE deployment so this doesn't happen.

0 Helpful

Go to solution
EdouardZorrilla0939
Level 1
Level 1
In response to thomas

‎08-04-2021 11:08 AM

Thanks Thomas, Our design is ISE in HA mode and I wanted to know if was possible to failback from certificate-based authentication to PSK authentication in case both PSN are down.

 

I know it is possible in the wired scope, so I was wondering it was possible in the in wireless scope.

 

Thanks,

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-04-2021 11:28 AM - edited ‎08-04-2021 11:29 AM

This is fancier than what you may be looking for as it only brings up the SSID in case ISE is down. This is important as if you have the backup PSK SSID always up, the user may favor it instead of the main 802.1X SSID:

https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838

 

Customers Also Viewed These Support Documents