08-09-2018 01:25 AM
Hi All,
If it should happen, that something goes wrong and ISE cant authenticate devices on switch ports via 802.1x, what immediately actions could remove 802.1x from switches or allow all devices onto the network?
Best regards,
Michael
Solved! Go to Solution.
08-09-2018 02:06 AM
Hi,
In the event that the switch is unable to communicate with ISE, the switch will mark the radius servers as dead. If you have the interface level commands configured such as:-
authentication event server dead action authorize vlan 11
authentication event server dead action authorize voice
authentication event server alive action reinitialize
...existing authenticated sessions will continue, any new connections made will be authorized (data to vlan 11 (in this example) and voice).
HTH
08-09-2018 02:06 AM
Hi,
In the event that the switch is unable to communicate with ISE, the switch will mark the radius servers as dead. If you have the interface level commands configured such as:-
authentication event server dead action authorize vlan 11
authentication event server dead action authorize voice
authentication event server alive action reinitialize
...existing authenticated sessions will continue, any new connections made will be authorized (data to vlan 11 (in this example) and voice).
HTH
08-09-2018 02:49 AM
Makes perfect sense if ISE fails. Thanks for the info.
08-09-2018 03:52 AM
09-06-2018 06:08 AM
I'm back on this topic.
I had an case were my switches were running with auth open, but the GPO that sets 802.1x on clients weren't deployed yet. Testing a policy for MAB and guest portal, all the users failed dot1x, and then got to MAB. All the users got redirected to the portal.
Luckily this only happened to a handful of users, so the impact were limited. But if all 500+ users got hit, how would they recover?
09-06-2018 06:10 AM
If MAB is still working then ISE is still working, the outcome you saw is what is expected.
09-06-2018 06:15 AM
09-06-2018 06:31 AM
Your production switches should be in monitor mode, while in monitor mode you should have all results in your policy set to "permit access". This will allow you to test policy and ensure everyone is hitting the correct policy. Anyone hitting the wrong policy can then be fixed/remediated before going to enforcement mode where they can lose network access.
Working through a methodology of Monitor mode and moving to enforcement mode will help to alleviate any issue you may run across.
Also only test on a non production switch so you do not affect users.
09-06-2018 06:37 AM
I get what your saying, and my switches are running in monitor mode. Despite the PermitAll at the end of every policy, users fails 802.1x, and then do MAB. Then the wired mab -> redirect catches the request and sends the users off to the portal. Like you wrote before, this is expected.
09-06-2018 06:41 AM
If you are in monitor mode there should be no redirect setup. Can you share some screenshots of your policy?
09-06-2018 07:10 AM
I restricted the policy to only be applied to my desktop switch. NAS 192.168.2.25.
The GUEST_REGISTRATION is the redirect, and GUEST_PORTAL_ACCESS allows the users afterwards.
Lets just imagine that the certificate for dot1x expires and all wired endpoints are redirected to the portal. Then we change the certificate, and all endpoints need to trigger dot1x again?
09-06-2018 07:22 AM
You can change settings in ISE and build a policy to allow the authentication of expired Certs, then when they go to authorization you can give them limited access to renew their Certs, this will avoid them being sent to the webauth portal.
09-06-2018 07:40 AM
The other option if you don't want to accept expired certs is you could profile these devices as AD domain joined devices using the AD profiler. This assumes they are AD domain joined. Then in your MAB rule you could give them enough access to renew certs.
09-06-2018 10:47 AM
With both solutions, clients will be allowed to renew their certificates, but will or can ISE trigger CoA when a new certificate is issued to the client? Or is it necessary to trigger dot1x on the port to process the client again?
09-06-2018 10:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide