Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
2
Replies

How to fail open from a failed AD connection from ISE on a switch

gvanbon
Cisco Employee
Cisco Employee

‎03-15-2016 10:26 AM

Hi,


When a switch does  not get an answer from ISE, then the ISE server is declared dead and the switch can decide to put the client into a critical vlan.

But this does not happen when ISE is alive, but the backend AD is not reachable.

The authentications will fail and the switch will not invoke the critical vlan.

It is possible to implement a Radius test with an AD username. That will declare the ISE server dead.

But I do not think that you should do these Radius tests on every switch. And certainly not very frequent.

Is there a best practice on how to cope with this failure scenario ?

Thanks

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎03-15-2016 10:54 AM

Are you not seeing the same failure reasons for the non-automatic and the automatic authentication attempts? If they are exactly the same, then we need to continue this discussion with the switch platform teams. When AD not available, the authentications should result in process failures and ISE should drop the requests and not respond back to the switch. When the switch not getting responses, it should have treated ISE as if dead.

Demystifying RADIUS Server Configurations - Cisco might be useful, in case you have not read it.

0 Helpful

Craig Hyps
Level 10
Level 10
In response to hslai

‎03-16-2016 09:56 AM

Also refer to Cisco Live session BRKSEC-3699 where this topic is covered in the reference version of that presentation deck.  Yes, you can use either local or external accounts based on end goal.  Realize that use of AD account can cause system to failover to another server even if all other services up.  Really depends on what you are trying to accomplish while understanding the implications of policy decision.

How ISE handles AD issues can be set in Identity Sequence as well as how ISE treats process failures.  By default we drop, but that too is customizable.  From switch perspective, a drop may or may not be treated the same as auth failure.  Some NADs will treat auth failure as a valid response and not fail over to another RADIUS server. Drop should consistently be treated as RADIUS server failure.

0 Helpful
Customers Also Viewed These Support Documents