Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4393
Views
0
Helpful
3
Replies

Critical VLAN/"fail open" support when ISE PSN is unavailable

brian.k.clarke
Level 5
Level 5

‎01-05-2014 04:51 PM - edited ‎03-10-2019 09:14 PM

This thread regards ISE operation (and options) where a policy node becomes unavailable - so, in the case of either a single standalone ISE appliance (no HA), or more often a PSN becoming unavailable due to a WAN failure to a remote branch. The intended design for the deployment in question would involve using downloadable ACLs (dACLs) to provide differentiated access, specifically:

- A default ACL would be configured on 802.1x switchports would allow "limited" access (possibly Internet-only, but TBD).

- Successful 802.1x authentication would require 1) validation of a corporate certificate on the endpoint, and 2) successful AD login. This would provision a dACL providing full access.

ISE provides the option to configure Inaccessible Authentication Bypass to support RADIUS unavailability when 802.1x is configured on switch ports, but I'm needing to confirm how this works when using dACLs instead of VLANs for differentiated access. Specifically, if IAB is configured so that 802.1x ports (maybe all of them if all ports at the branch need to be functional) get placed into a "critical VLAN", will this override the default ACL on the port, which would no longer be applicable to the new VLAN anyway?

Simply put - we need to configure the deployment so that all endpoints fail open and have full access in the event of ISE/RADIUS becoming unavailable. (There'll be no local RADIUS and/or AD server in the event of WAN failure.) This will need to work although the 802.1x authentication/authorization will be using dACLs to determine access.

Thank you

3 people had this problem
Labels:
0 Helpful
3 Replies 3

rodrigo.cisco
Level 4
Level 4

‎03-05-2015 07:07 PM

.

0 Helpful

inayatbunglawala1
Level 1
Level 1

‎03-06-2015 05:51 AM

I have a similar set up i.e. Pre-auth ACL applied on each port which is overwritten by a 'permit ip any any' DACL from the ISE server if a device successfully authenticates.

 

My understanding is that if the ISE PSN nodes become unavailable then if a Critical Vlan has been configured then devices will be placed into that vlan, however, the pre-auth ACL will still apply. Hence, if the pre-auth ACL only allows limited network connectivity, then in the event of all the ISE PSN nodes being unreachable then the device will only get the connectivity you allow via the pre-auth ACL.

 

This is obviously quite undesirable and so when I raised this with TAC they suggested that I add an EEM script to each switch so that if the ISE PSN nodes become unavailable then the EEM script will kick in and add a "1 permit ip any any' at the top of the pre-auth ACL.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎03-18-2015 03:48 AM

check the following links

https://supportforums.cisco.com/discussion/11866521/ise-node-failure-pre-auth-acl

https://supportforums.cisco.com/discussion/12424371/access-ise-server-dead

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents