09-05-2018 04:31 AM
My question is if ISE virtual appliance is running on a network and there are more than 300 users authenticated and authorized in ISE, what will be the impact on users if ISE VM fails and suppose there is no HA, can users connect and authenticated through 802.1x or they will authenticate locally?
Solved! Go to Solution.
09-05-2018 04:55 AM
Hi,
You can configure the switch to authorise a connection into the data/voice vlan when the radius server is marked down, when the radius server is back online it will then authorise the connection.
Global commands:
radius-server dead-criteria time 6 tries 5
radius-server deadtime 20
Interface level commands:
interface gigabitethernet 1/0/1
authentication event server dead action reinitialize vlan
authentication event server dead action authorize voice
authentication event server alive action reinitialize
HTH
09-05-2018 05:04 AM
This depends if you are running in open or closed mode. If you are in closed mode then RJI's solution will work. If you are in open mode with a pre-auth ACL then you also need to have an EEM script that will add a permit any any entry to the top of the pre-auth ACL.
Here is a sample EEM Script:
event manager applet default-acl-fallback event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5 action 1.0 cli command "enable" action 1.1 cli command "conf t" pattern "CNTL/Z." action 2.0 cli command "ip access-list extended PRE_AUTH" action 3.0 cli command "1 permit ip any any" action 4.0 cli command "end" event manager applet default-acl-recovery event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5 action 1.0 cli command "enable" action 1.1 cli command "conf t" pattern "CNTL/Z." action 2.0 cli command "ip access-list extended PRE_AUTH" action 3.0 cli command "no 1 permit ip any any" action 4.0 cli command "end"
09-05-2018 04:55 AM
Hi,
You can configure the switch to authorise a connection into the data/voice vlan when the radius server is marked down, when the radius server is back online it will then authorise the connection.
Global commands:
radius-server dead-criteria time 6 tries 5
radius-server deadtime 20
Interface level commands:
interface gigabitethernet 1/0/1
authentication event server dead action reinitialize vlan
authentication event server dead action authorize voice
authentication event server alive action reinitialize
HTH
09-05-2018 05:04 AM
This depends if you are running in open or closed mode. If you are in closed mode then RJI's solution will work. If you are in open mode with a pre-auth ACL then you also need to have an EEM script that will add a permit any any entry to the top of the pre-auth ACL.
Here is a sample EEM Script:
event manager applet default-acl-fallback event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5 action 1.0 cli command "enable" action 1.1 cli command "conf t" pattern "CNTL/Z." action 2.0 cli command "ip access-list extended PRE_AUTH" action 3.0 cli command "1 permit ip any any" action 4.0 cli command "end" event manager applet default-acl-recovery event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5 action 1.0 cli command "enable" action 1.1 cli command "conf t" pattern "CNTL/Z." action 2.0 cli command "ip access-list extended PRE_AUTH" action 3.0 cli command "no 1 permit ip any any" action 4.0 cli command "end"
09-05-2018 05:11 AM
So it means there are 2 options to configure this (open and close mode). and where this ACL defined?
09-05-2018 05:17 AM - edited 09-05-2018 05:17 AM
Keep in mind all of this only applies to Wired, if you lose ISE (Any RADIUS for that matter) Wireless will be down as you can not authenticate to the SSID without a RADIUS server.
Open and Closed refers to the mode in which you have authentication configured on your switch. Which way you have it configured depends on which solution you need to use.
The ACL is applied to each switch interface if you are using open mode. Please see the Wired Deployment guide: https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515
09-05-2018 05:08 AM - edited 09-05-2018 05:13 AM
09-05-2018 05:12 AM
Not within ISE, if ISE is down it can't offer and fail-open/close options. This is why we suggested the two solutions above that would be applied to your switches.
09-05-2018 05:18 AM
09-05-2018 05:23 AM
I said open previously and I meant Low Impact and Closed mode are the basis of a wired ISE deployment. To understand the differences and caveats of the two see page 15 on the guide I posted above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide