03-10-2015 03:56 PM - edited 03-10-2019 10:32 PM
Hi everyone,
I'm a beginner with cisco ISE, and I have a very special case that may occur frequently in my situation ...
In normal case, the client exchanges EAP messages with the switch, and the switch acts as a proxy server regarding the ISE server.
My special case is when the connectivity between ISE and the switch is lost, the easiyest alternative is to redirect the client to the auth-fail VLAN. but this alternative is not productive (regarding our needs) ...
Is there any alternatives for this case of study. this is very urgent please.
Thank you for your support.
03-10-2015 06:54 PM
The good news is if your switch/nads lose connectivity to ISE, the clients that are already connected, typically are not impacted, however any new users that are attempting to connect during the outage are impacted.
The 3 failover options for catalyst switches are fail open, fail closed and fail to a specific vlan.
03-11-2015 03:53 AM
Thanks Cehill for your answer,
For users already connected, how long they gonna stay connected ? (is there a timeout ?) (can I change this timeout if it exists ?)
Thanks again.
03-11-2015 05:54 AM
Hello a.benhima,
You can change the timer or disable re-authentication.
Here is a link to another posting that discusses the authentication timer.
https://supportforums.cisco.com/discussion/11971961/ise-authentication-timers-issues
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide