06-05-2013 08:30 AM - edited 03-10-2019 08:30 PM
I'm just playing about with ISE 1.1.4 and critical auth, but I have a fairly locked down default access list on the ports. Is there any way of overriding a very restrictive default access list in the event of a critical auth situation?
It seems like if you're relieant on dACL's to provide access for devices (from closed mode or similar) that the critical auth is not a viable option?
Or have I misunderstood, and maybe "authentication event server dead action authorize voice" does more than I'm expecting.
I suppose I'm searching for something like "authentication event server dead action access-list less-restrictiveACL"
Thanks,
Gaz
Solved! Go to Solution.
06-05-2013 11:05 AM
Why not flip it on its head and have your less-restrictive-ACL as the default, and impose the more restrictive things via dACL?
06-05-2013 11:05 AM
Why not flip it on its head and have your less-restrictive-ACL as the default, and impose the more restrictive things via dACL?
06-05-2013 11:29 AM
Yeah, considered that, just leaves things a bit open until auth is completed. Not a massive threat but "tangible" as the bullsh1t bingo crew would say :-)
Sent from Cisco Technical Support iPhone App
06-05-2013 12:43 PM
Not really, if you're doing .1X then the ACL doesn't come in to life until after 1X has been completed...
Sent from Cisco Technical Support iPhone App
06-05-2013 03:49 PM
See your point. So for closed mode I'm happy that I don't really need any control at all in my default ACL.
If I'm working in low impact mode, so open auth and a fairly tight default access list, if my ISE server falls over, I'm stuck with the restrictions of my default ACL.
If on the other hand, in low impact mode I'm worried about my ISE falling over, so I have a slack default access list; if a client doesn't have dot1x, they will have 45 seconds or so until dot1x fails over to MAB, where they can take advantage of my slack access list. Then they get a dacl applied (or whatever MAB gets them to).
I'm guessing, if I'm worried about ISE dying I need to be in closed mode so that it can fail open.
Phew... Make any sense?
Sent from Cisco Technical Support iPhone App
06-05-2013 11:46 PM
That does make sense, yes.
What you could also do is;
Get rid of the default ACL
Change the default VLAN to a semi-isolated network segment to keep your security paranoid guys happy
Use CoA from ISE to assign all VLANs, regardless of MAB or 1X auth
In the event of a failure, fail open to a different VLAN that has the amount of access you need.
08-20-2013 11:38 PM
One method I use to fail-open if all your PSN's are unavailable is to use the EEM to monitor the switch syslog.
This script inserts a "permit ip any any" on your first line of the default acl.
Hope this helps.
event manager applet default-acl-fallback
event syslog pattern "%RADIUS-3-ALLDEADSERVER" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended ACL-DEFAULT"
action 3.0 cli command "1 permit ip any any"
action 4.0 cli command "end"
event manager applet default-acl-recovery
event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended ACL-DEFAULT"
action 3.0 cli command "no 1 permit ip any any"
action 4.0 cli command "end"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide