Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1248
Views
25
Helpful
6
Replies

Breakglass Procedure for Cisco ISE

sreng
Level 1
Level 1

‎06-06-2022 08:14 AM

Hi Team,

I am thinking of coming up with plans and ideas to form a procedure for how we can disable the Network Access Control of Cisco ISE entirely (in my case, it is wired 802.1x and VPN integration with FTD) in the event of a disaster of every node in the deployment going down.

The idea here is that NAC would not be a block-point to businesses.
After NAC has been removed during the disaster, businesses can go on with traditional network access.


If anyone has been in this situation, could you kindly share your insight and advice on how to achieve this?


Thanks and regards,
Sreng

0 Helpful
6 Replies 6

marce1000
VIP
VIP

‎06-06-2022 08:43 AM

 

                 >... businesses can go on with traditional network access.

 This is not a normal deployment method and or emergency action for ISE, meaning simply that in practice this is 'not done', as far as the phrase above  , will business go on ? Doubt it  what if legitimate  network access is cracked during that period too. You put your business and business critical information at risk, amongst other arguments.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Mohammed al Baqari
Level 11
Level 11
In response to marce1000

‎06-06-2022 08:59 AM

Hi,

You can use critical VLAN option. I have seen cases where people use EEM to
deploy limited-access-acls in case of radius servers down. This way they
get limited access until ISE restored (such http and https, dns, dhcp, no
lan access, etc).

But as mentioned in other posts, there is always a risk factor which you
need to evaluate.

***** please remember to rate useful posts

andrewswanson
Level 7
Level 7

‎06-06-2022 08:53 AM

Hi

 

I'm looking at a similar solution for a "Critical Authentication" event in an ibns 2 environment using TrustSec. An excerpt from the Identity Control Policy on the switches is below (entries in bold show what the policy is when AAA is unavailable). I'm testing this with an ACL applied on the uplink of the switch (this acl drops all traffic to/from ISE to simulate ISE being unavailable).

 

Its working well but I still have to consider that if ISE is totally unavailable, then:

Cisco Trustsec Environment data will eventually timeout an be lost from all the switches.
SXP connections will also be lost.

 

I'm looking at having vague/generic VLAN assigned SGTs with local policies on the switches - when ISE is available, ISE SGT assignment and policy will take precedence over them. But if ISE fails, these SGTs and policies will become active.


hth
Andy


event session-started match-all
10 class always do-until-failure
10 activate service-template PREAUTH
20 class always do-until-failure
20 authenticate using dot1x retries 3 retry-time 30 priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
30 activate service-template CRITICAL-SGT replace-all
40 authorize
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
30 activate service-template CRITICAL-SGT replace-all
40 authorize
30 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 65535
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 65535
60 class always do-until-failure
10 terminate dot1x
30 authentication-restart 65535
event agent-found match-all
10 class always do-until-failure
20 authenticate using dot1x retries 3 retry-time 30 priority 10
event aaa-available match-all
10 class always do-until-failure
10 clear-session

0 Helpful

ahollifield
VIP
VIP

‎06-06-2022 09:53 AM

Wired 802.1X you can use critical-auth-vlan or take a number of different actions when the RADIUS servers are down.  For VPN, there is no concept of "fail-open".  Even it was possible, would you REALLY want to open your VPN inbound to the entire internet with zero authentication???

jmcgrady1
Level 1
Level 1

‎07-18-2022 12:26 AM

We are looking at this same question for a client. We have found ISE to be a not completely robust solution, and recently lost both nodes. ISE is used for network access control for wired clients on Cisco switches. The impact of the client's network grinding to a halt is much larger than the security risk of bypassing ISE for a time. We are investigating the use of critical vlan.

0 Helpful

marce1000
VIP
VIP
In response to jmcgrady1

‎07-18-2022 01:21 AM

 

                                       

                                     >...and recently lost both nodes

    Find out  1) why . 2) how and 3) resolve. It also will increase your knowledge to deal with further ise incidents and perform stronger ise management (too). If ISE is being used consider it business critical , that's a choice of IT and according to me a good one. Taking emergency solutions then becomes bad practice.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
Customers Also Viewed These Support Documents