01-25-2023 12:49 PM
I'm looking to see if it's possible for a C9300 to authenticate/authorize endpoints with certificates signed by a trusted CA while ISE is down. Below is my current policy-map for ISE being down
event authentication-failure match-first
10 class ISE_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
20 class ISE_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template Internet-Only-Template
class ISE_SVR_DOWN_AUTHD_HOST is matching "result-type aaa timeout" and "authorization-status authorized" to maintain the current authorization status of an endpoint, whether it's a workstation, VoIP, wired IoT, etc.
class ISE_SVR_DOWN_UNAUTHD_HOST is matching "result-type aaa timeout" and "authorization-status unauthorized" which will activate a template that denies traffic to private IPs (excluding DHCP) and allows internet-traffic for wired guests.
This has worked well so far, but a power-failure event on the switch will eliminate the authorized status of endpoints. If this happens, corporate endpoints are only able to reach the internet. I'm trying to avoid re-initiated VLANs as there's no telling if a guest or corporate endpoint is connected on the switch interface.
Is there a way to have the 9300 check for certificates and authorize devices based on certificates signed by a trusted CA?
01-25-2023 01:16 PM
No, the switch does not terminate EAP.
01-25-2023 01:52 PM
Thank you for your response. Knowing this, do you have an recommendations for allowing access to corporate VLANs during an ISE outage without allowing unintended guests access to the same VLAN?
01-25-2023 02:17 PM
A couple of options:
01-25-2023 02:26 PM
I appreciate the helpful tips. It seems this will be an accepted risk considering the scenario. Thank you for the feedback!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide