06-06-2022 08:14 AM
Hi Team,
I am thinking of coming up with plans and ideas to form a procedure for how we can disable the Network Access Control of Cisco ISE entirely (in my case, it is wired 802.1x and VPN integration with FTD) in the event of a disaster of every node in the deployment going down.
The idea here is that NAC would not be a block-point to businesses.
After NAC has been removed during the disaster, businesses can go on with traditional network access.
If anyone has been in this situation, could you kindly share your insight and advice on how to achieve this?
Thanks and regards,
Sreng
06-06-2022 08:43 AM
>... businesses can go on with traditional network access.
This is not a normal deployment method and or emergency action for ISE, meaning simply that in practice this is 'not done', as far as the phrase above , will business go on ? Doubt it what if legitimate network access is cracked during that period too. You put your business and business critical information at risk, amongst other arguments.
M.
06-06-2022 08:59 AM
06-06-2022 08:53 AM
Hi
I'm looking at a similar solution for a "Critical Authentication" event in an ibns 2 environment using TrustSec. An excerpt from the Identity Control Policy on the switches is below (entries in bold show what the policy is when AAA is unavailable). I'm testing this with an ACL applied on the uplink of the switch (this acl drops all traffic to/from ISE to simulate ISE being unavailable).
Its working well but I still have to consider that if ISE is totally unavailable, then:
Cisco Trustsec Environment data will eventually timeout an be lost from all the switches.
SXP connections will also be lost.
I'm looking at having vague/generic VLAN assigned SGTs with local policies on the switches - when ISE is available, ISE SGT assignment and policy will take precedence over them. But if ISE fails, these SGTs and policies will become active.
hth
Andy
event session-started match-all
10 class always do-until-failure
10 activate service-template PREAUTH
20 class always do-until-failure
20 authenticate using dot1x retries 3 retry-time 30 priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
30 activate service-template CRITICAL-SGT replace-all
40 authorize
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
30 activate service-template CRITICAL-SGT replace-all
40 authorize
30 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 65535
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 65535
60 class always do-until-failure
10 terminate dot1x
30 authentication-restart 65535
event agent-found match-all
10 class always do-until-failure
20 authenticate using dot1x retries 3 retry-time 30 priority 10
event aaa-available match-all
10 class always do-until-failure
10 clear-session
06-06-2022 09:53 AM
Wired 802.1X you can use critical-auth-vlan or take a number of different actions when the RADIUS servers are down. For VPN, there is no concept of "fail-open". Even it was possible, would you REALLY want to open your VPN inbound to the entire internet with zero authentication???
07-18-2022 12:26 AM
We are looking at this same question for a client. We have found ISE to be a not completely robust solution, and recently lost both nodes. ISE is used for network access control for wired clients on Cisco switches. The impact of the client's network grinding to a halt is much larger than the security risk of bypassing ISE for a time. We are investigating the use of critical vlan.
07-18-2022 01:21 AM
>...and recently lost both nodes
Find out 1) why . 2) how and 3) resolve. It also will increase your knowledge to deal with further ise incidents and perform stronger ise management (too). If ISE is being used consider it business critical , that's a choice of IT and according to me a good one. Taking emergency solutions then becomes bad practice.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide