Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
2
Helpful
4
Replies

Bypass all endpoints in case all ISE Nodes completely down

Go to solution
Da ICS16
Level 1
Level 1

‎01-02-2024 08:40 PM

Dear Community,

We have 3 deployment Nodes 

- PAN

- Secondary Node

- PxGride Node

We use switch cisco model 9200 which supporting critical vlan.

In case all ISE Nodes completely down how to bypass new endpoints session and existing session still alive and able access to internal systems and internet.

We concern with endpoints that start new session after all ISE Nodes are down.

Does Critical vlan can do it on switch level? 

Do we have another solution to on ISE or else?

Thanks,

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-03-2024 12:51 AM

@Da ICS16 Inaccessible Bypass or Critical Authentication will maintain existing authenticated sessions and authorise new sessions into a Critical VLAN if all AAA servers are down.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://integratingit.wordpress.com/2020/12/02/802-1x-critical-authentication/

 

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-03-2024 01:42 AM - edited ‎01-03-2024 06:21 AM

If you use aaa event server dead authz vlan (critical) then any new endpoint will auth and authz get vlan critical 

And if you want to make endpoint to reauthz when server life again

Commands you need are two

authentication event server dead action authorize vlan (critical)
 authentication event server alive action reinitialize

All this config in SW per interface 

MHM

View solution in original post

4 Replies 4

Go to solution
marce1000
VIP
VIP

‎01-02-2024 11:35 PM

 

 - This is not a realistic requirement ; the ISE  will never be down on a  realistic environment , except for 'global' networking calamities, 

 M,



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Rob Ingram
VIP
VIP

‎01-03-2024 12:51 AM

@Da ICS16 Inaccessible Bypass or Critical Authentication will maintain existing authenticated sessions and authorise new sessions into a Critical VLAN if all AAA servers are down.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://integratingit.wordpress.com/2020/12/02/802-1x-critical-authentication/

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-03-2024 01:42 AM - edited ‎01-03-2024 06:21 AM

If you use aaa event server dead authz vlan (critical) then any new endpoint will auth and authz get vlan critical 

And if you want to make endpoint to reauthz when server life again

Commands you need are two

authentication event server dead action authorize vlan (critical)
 authentication event server alive action reinitialize

All this config in SW per interface 

MHM

Customers Also Viewed These Support Documents