Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2667
Views
0
Helpful
5
Replies

ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

Tabish Mirza
Level 1
Level 1

‎11-15-2012 10:20 AM - edited ‎03-10-2019 07:47 PM

We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.

We do not know whether we configured switch in proper way or do we need to modify it.

                  

aaa new-model
!

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)

client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)

server-key 7 12345678

!

ip device tracking
!
epm logging

!

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)

radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)

radius-server vsa send accounting
radius-server vsa send authentication

Port Configuration

interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!

Please help....

Thanks

Labels:
0 Helpful
5 Replies 5

Todd Pula
Level 7
Level 7

‎11-15-2012 02:50 PM

Was the test client on g0/1 previously authorized on this port prior to shutting down the PSNs?  Or did you connect the client after taking the PSNs offline? 

0 Helpful

Tabish Mirza
Level 1
Level 1
In response to Todd Pula

‎11-16-2012 12:38 AM

Client was connected on port gi0/1 but when we shutdown both PSN same time we shut & no shut gi0/1. We tried same exercise means to shut or no shut gi0/1 couple of times but no luck.
My requirement is to fallback user who is connected on gi0/1 to local access vlan if both radius server (PSN) goes down.
I suspect that I m missing some switch commands.
Please any suggestion.
Thanks

Sent from Cisco Technical Support iPhone App

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Tabish Mirza

‎11-16-2012 08:00 AM

Can you post the config for the access-list "ACL-DEFAULT" that is applied on the interface? If you are using this ACL for "Low Impact" mode then that would be the cause of your issue. If that is the case remove the ACL and give it another try.

Thank you for rating!

0 Helpful

Tabish Mirza
Level 1
Level 1
In response to nspasov

‎11-18-2012 01:23 AM

Hi Neno,

Many thanks indeed for your suggestion.

Here is the ACL-DEFAULT

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark PXE/TFTP

permit udp any any eq tftp

remark Drop all the rest

deny   ip any any log

I removed the ACL & tried. It works but what will be the impact, if I do not use ACL-DEFAULT on interface.

Once radius server alive authentication should reinitialize (authentication event server alive action reinitialize) but it is not happening.

Waiting for response.

Thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Tabish Mirza

‎11-18-2012 05:42 PM

Tabish-

The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.

If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.

For more info you should reference the TrustSec design guide located at:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

Thank you for rating!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents