Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
15
Helpful
8
Replies

How users will be connected to network if ISE virtual appliance fails?

Go to solution
asd30110329
Level 1
Level 1

‎09-05-2018 04:31 AM

My question is if ISE virtual appliance is running on a network and there are more than 300 users authenticated and authorized in ISE, what will be the impact on users if ISE VM fails and suppose there is no HA, can users connect and authenticated through 802.1x or they will authenticate locally?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-05-2018 04:55 AM

Hi,

 

You can configure the switch to authorise a connection into the data/voice vlan when the radius server is marked down, when the radius server is back online it will then authorise the connection.

 

Global commands:
 radius-server dead-criteria time 6 tries 5
 radius-server deadtime 20

 

Interface level commands:

 

interface gigabitethernet 1/0/1

 authentication event server dead action reinitialize vlan
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 

HTH

View solution in original post

0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5

‎09-05-2018 05:04 AM

This depends if you are running in open or closed mode. If you are in closed mode then RJI's solution will work. If you are in open mode with a pre-auth ACL then you also need to have an EEM script that will add a permit any any entry to the top of the pre-auth ACL.

 

Here is a sample EEM Script:

event manager applet default-acl-fallback
 event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended PRE_AUTH"
 action 3.0 cli command "1 permit ip any any"
 action 4.0 cli command "end"
event manager applet default-acl-recovery
 event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended PRE_AUTH"
 action 3.0 cli command "no 1 permit ip any any"
 action 4.0 cli command "end"

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎09-05-2018 04:55 AM

Hi,

 

You can configure the switch to authorise a connection into the data/voice vlan when the radius server is marked down, when the radius server is back online it will then authorise the connection.

 

Global commands:
 radius-server dead-criteria time 6 tries 5
 radius-server deadtime 20

 

Interface level commands:

 

interface gigabitethernet 1/0/1

 authentication event server dead action reinitialize vlan
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 

HTH

0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5

‎09-05-2018 05:04 AM

This depends if you are running in open or closed mode. If you are in closed mode then RJI's solution will work. If you are in open mode with a pre-auth ACL then you also need to have an EEM script that will add a permit any any entry to the top of the pre-auth ACL.

 

Here is a sample EEM Script:

event manager applet default-acl-fallback
 event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended PRE_AUTH"
 action 3.0 cli command "1 permit ip any any"
 action 4.0 cli command "end"
event manager applet default-acl-recovery
 event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t" pattern "CNTL/Z."
 action 2.0 cli command "ip access-list extended PRE_AUTH"
 action 3.0 cli command "no 1 permit ip any any"
 action 4.0 cli command "end"
0 Helpful

Go to solution
asd30110329
Level 1
Level 1
In response to Cory Peterson

‎09-05-2018 05:11 AM

So it means there are 2 options to configure this (open and close mode). and where this ACL defined?

0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to asd30110329

‎09-05-2018 05:17 AM - edited ‎09-05-2018 05:17 AM

Keep in mind all of this only applies to Wired, if you lose ISE (Any RADIUS for that matter) Wireless will be down as you can not authenticate to the SSID without a RADIUS server. 

 

Open and Closed refers to the mode in which you have authentication configured on your switch. Which way you have it configured depends on which solution you need to use. 

 

The ACL is applied to each switch interface if you are using open mode. Please see the Wired Deployment  guide: https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

Go to solution
asd30110329
Level 1
Level 1

‎09-05-2018 05:08 AM - edited ‎09-05-2018 05:13 AM

 
0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to asd30110329

‎09-05-2018 05:12 AM

Not within ISE, if ISE is down it can't offer and fail-open/close options. This is why we suggested the two solutions above that would be applied to your switches.

Go to solution
asd30110329
Level 1
Level 1
In response to Cory Peterson

‎09-05-2018 05:18 AM

so it means there is no other option (other than open and closed mode) after my ISE VM down. one of the two options must be defined in order to remain the users connected to the Network
0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to asd30110329

‎09-05-2018 05:23 AM

I said open previously and I meant Low Impact and Closed mode are the basis of a wired ISE deployment. To understand the differences and caveats of the two see page 15 on the guide I posted above.

Customers Also Viewed These Support Documents