Solved: Fail Open for Complete ISE Deployment

scamarda · ‎12-12-2018

Have a customer that had a policy change that caused many users to get locked out. Management is nervous about the future of ISE and has asked the IT staff what is the "Shiny Red Button" that can be implemented to disable ISE policy for all users. We talked about blocking the ISE fail open on the switch, creating "permit ip any any" type of policy rule and bulk setting all switch ports to authentication open. The challenge we think we will have is we need to do a mass CoA on all affected sessions or automated shut/no shut on switch port to restart the affected sessions.

Is there a better way to go about doing this? Understand failing open the secure environment is not the optimal thing to do but management needs an answer for the scenario/question.

howon · ‎12-14-2018

I would challenge that a good policy approval workflow should be in place first instead to prevent such incident. ISE supports monitor mode for policies so you can create new policies and see that the policy is matching as expected prior to enabling it. You can combine it with session trace tool on ISE to run through few use cases without having to test with real clients. In general when mistakes are made with policies it does not affect all users at the same time, rather it impacts newly connecting users. So you should also couple this with monitoring the authentication logs to make sure the policy is applied properly.

But, to answer your question, easiest I can think of is to use fail open policy on the switch when none of the ISE node is available. And when ISE policy is suspected of causing issues, simply block access from NADs to ISE to simulate ISE failure. Since fail open is used, the ports should allow all access.

View solution in original post

howon · ‎12-14-2018

I would challenge that a good policy approval workflow should be in place first instead to prevent such incident. ISE supports monitor mode for policies so you can create new policies and see that the policy is matching as expected prior to enabling it. You can combine it with session trace tool on ISE to run through few use cases without having to test with real clients. In general when mistakes are made with policies it does not affect all users at the same time, rather it impacts newly connecting users. So you should also couple this with monitoring the authentication logs to make sure the policy is applied properly.

But, to answer your question, easiest I can think of is to use fail open policy on the switch when none of the ISE node is available. And when ISE policy is suspected of causing issues, simply block access from NADs to ISE to simulate ISE failure. Since fail open is used, the ports should allow all access.