Thanks Cehill for your answer

a.benhima · ‎03-10-2015

Hi everyone,

I'm a beginner with cisco ISE, and I have a very special case that may occur frequently in my situation ...

In normal case, the client exchanges EAP messages with the switch, and the switch acts as a proxy server regarding the ISE server.

My special case is when the connectivity between ISE and the switch is lost, the easiyest alternative is to redirect the client to the auth-fail VLAN. but this alternative is not productive (regarding our needs) ...

Is there any alternatives for this case of study. this is very urgent please.

Thank you for your support.

Charles Hill · ‎03-10-2015

The good news is if your switch/nads lose connectivity to ISE, the clients that are already connected, typically are not impacted, however any new users that are attempting to connect during the outage are impacted.

The 3 failover options for catalyst switches are fail open, fail closed and fail to a specific vlan.

a.benhima · ‎03-11-2015

Thanks Cehill for your answer,

For users already connected, how long they gonna stay connected ? (is there a timeout ?) (can I change this timeout if it exists ?)

Thanks again.

Charles Hill · ‎03-11-2015

Hello a.benhima,

You can change the timer or disable re-authentication.

Here is a link to another posting that discusses the authentication timer.

https://supportforums.cisco.com/discussion/11971961/ise-authentication-timers-issues

Hope this helps.

Cisco ISE auth alternatives