cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4831
Views
0
Helpful
3
Replies

Critical VLAN/"fail open" support when ISE PSN is unavailable

brian.k.clarke
Level 5
Level 5

This thread regards ISE operation (and options) where a policy node becomes unavailable - so, in the case of either a single standalone ISE appliance (no HA), or more often a PSN becoming unavailable due to a WAN failure to a remote branch. The intended design for the deployment in question would involve using downloadable ACLs (dACLs) to provide differentiated access, specifically:

- A default ACL would be configured on 802.1x switchports would allow "limited" access (possibly Internet-only, but TBD).

- Successful 802.1x authentication would require 1) validation of a corporate certificate on the endpoint, and 2) successful AD login. This would provision a dACL providing full access.

ISE provides the option to configure Inaccessible Authentication Bypass to support RADIUS unavailability when 802.1x is configured on switch ports, but I'm needing to confirm how this works when using dACLs instead of VLANs for differentiated access. Specifically, if IAB is configured so that 802.1x ports (maybe all of them if all ports at the branch need to be functional) get placed into a "critical VLAN", will this override the default ACL on the port, which would no longer be applicable to the new VLAN anyway?

Simply put - we need to configure the deployment so that all endpoints fail open and have full access in the event of ISE/RADIUS becoming unavailable. (There'll be no local RADIUS and/or AD server in the event of WAN failure.) This will need to work although the 802.1x authentication/authorization will be using dACLs to determine access.

Thank you

3 Replies 3

rodrigo.cisco
Level 4
Level 4

.

I have a similar set up i.e. Pre-auth ACL applied on each port which is overwritten by a 'permit ip any any' DACL from the ISE server if a device successfully authenticates.

 

My understanding is that if the ISE PSN nodes become unavailable then if a Critical Vlan has been configured then devices will be placed into that vlan, however, the pre-auth ACL will still apply. Hence, if the pre-auth ACL only allows limited network connectivity, then in the event of all the ISE PSN nodes being unreachable then the device will only get the connectivity you allow via the pre-auth ACL.

 

This is obviously quite undesirable and so when I raised this with TAC they suggested that I add an EEM script to each switch so that if the ISE PSN nodes become unavailable then the EEM script will kick in and add a "1 permit ip any any' at the top of the pre-auth ACL.

Venkatesh Attuluri
Cisco Employee
Cisco Employee

check the following links

https://supportforums.cisco.com/discussion/11866521/ise-node-failure-pre-auth-acl

https://supportforums.cisco.com/discussion/12424371/access-ise-server-dead