Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
4
Replies

Authenticate endpoints using trusted certificate while ISE is down

Kacker
Level 1
Level 1

‎01-25-2023 12:49 PM

I'm looking to see if it's possible for a C9300 to authenticate/authorize endpoints with certificates signed by a trusted CA while ISE is down. Below is my current policy-map for ISE being down

event authentication-failure match-first
10 class ISE_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
20 class ISE_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template Internet-Only-Template

class ISE_SVR_DOWN_AUTHD_HOST is matching "result-type aaa timeout" and "authorization-status authorized" to maintain the current authorization status of an endpoint, whether it's a workstation, VoIP, wired IoT, etc.

class ISE_SVR_DOWN_UNAUTHD_HOST is matching "result-type aaa timeout" and "authorization-status unauthorized" which will activate a template that denies traffic to private IPs (excluding DHCP) and allows internet-traffic for wired guests.

This has worked well so far, but a power-failure event on the switch will eliminate the authorized status of endpoints. If this happens, corporate endpoints are only able to reach the internet. I'm trying to avoid re-initiated VLANs as there's no telling if a guest or corporate endpoint is connected on the switch interface.

Is there a way to have the 9300 check for certificates and authorize devices based on certificates signed by a trusted CA?

0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎01-25-2023 01:16 PM

No, the switch does not terminate EAP.

0 Helpful

Kacker
Level 1
Level 1
In response to ahollifield

‎01-25-2023 01:52 PM

Thank you for your response. Knowing this, do you have an recommendations for allowing access to corporate VLANs during an ISE outage without allowing unintended guests access to the same VLAN?

0 Helpful

ahollifield
VIP
VIP
In response to Kacker

‎01-25-2023 02:17 PM

A couple of options:

  • Apply an ACL that is a balance of necessary corporate access while not being totally open to potential guest endpoints
  • Statically configure VLANs/Access for guest endpoints (don't rely on ISE to assign if this endpoint is guest or not).
  • Accept this as a security risk if ISE is down.  Have proper HA/distributed deployment to handle any ISE outages.  Also a robust WAN with proper failover to mitigate. 
0 Helpful

Kacker
Level 1
Level 1
In response to ahollifield

‎01-25-2023 02:26 PM

I appreciate the helpful tips. It seems this will be an accepted risk considering the scenario. Thank you for the feedback!

0 Helpful
Customers Also Viewed These Support Documents