I have also used most of the

Service Delivery · ‎02-23-2016

Hi,

I'm sure this will have been answered somewhere before.

Please can someone let me know what the best practice is when using 2960S ports configured for low impact mode (PRE-AUTH ACL with basic access) which can no longer reach ISE PSN nodes.

With the restricted dACL, there is no way to overwrite it when the Servers are unavailable and thus the end point will have restricted access. We can't use EEM as it's not supported on the 2960's.

I have heard the only option is to remove the dACL, but that creates a security risk for a small time or is there another way i.e. some sort of Service Policy??

interface GigabitEthernetx/x/x

switchport access vlan 101

switchport mode access

switchport voice vlan 200

srr-queue bandwidth share 1 30 35 5

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize vlan 200

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication violation restrict

mab

snmp trap mac-notification change added

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

auto qos trust

no mdix auto

no cdp enable

spanning-tree portfast

!

Thanks in advance.

nspasov · ‎02-23-2016

I have faced this issue in the past and have resolved it by one of the following:

1. Used Closed Mode instead of Low-Impact, thus removing the need for pre-auth-acl

2. Used eem-script (not applicable in your situation)

3. Made the pre-auth ACL less restrictive. Not ideal and not as secure but that way users were actually able to get some limited internal resources and access to HTTP/HTTPs so they can get to the internet

4. Utilized the Critical ACL on Failure feature (only available on converged access switches). Perhaps Cisco will bring this feature to regular switches as well:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html#_Toc404649488

I hope this helps!

Thank you for rating helpful posts!

Service Delivery · ‎02-25-2016

Hi Neno.

Seems closed mode may have to be the way to go for my situation.

Thanks again Neno.

jan.nielsen · ‎02-23-2016

I have also used most of the options that Neno mentions, however another one i figured out recently is using TCL and kron, since EEM is not supported. This will insert a permit ip any any in you acl if all your AAA servers are marked down, it will check once every minute.

Following is how i did it :

IOS Config :

kron policy-list checkradius
cli tclsh radcheck.tcl
!
kron occurrence sched-checkradius in 1 recurring
policy-list checkradius

Copy this contents below to a file called radcheck.tcl, you can change the acl name to fit your solution and tftp it to the switch flash.

--- starts here ----

tclsh
set process_output [exec {show aaa servers | in State:}]

set rad1 [lindex [split $process_output "\n"] 0]
set rad2 [lindex [split $process_output "\n"] 1]

if { [regexp ".*(UP).*" $rad1] } {
puts up
set rad1status 1
} else {
puts down
set rad1status 0
}

if { [regexp ".*(UP).*" $rad2] } {
puts up
set rad2status 1
} else {
puts down
set rad2status 0
}

if {!$rad1status && !$rad2status} {
puts bothhdown
ios_config "ip access-list extended test" "1 permit ip any any"
} else {
puts atleastoneup
ios_config "ip access-list extended test" "no 1"
}

--- ends here ---

Jan

Service Delivery · ‎02-25-2016

I'm not familiar with TCL or Kron Jan.

When the script checks for the Radius Severs, what does it actually look for? Is it the syslog messages that are generated when they go down/up?

Thanks.

jan.nielsen · ‎02-25-2016

The script runs the command "show aaa servers" which will output the UP/DOWN state of each radius server configured, and looks to see if they are all down.

ISE AAA Failures for 2960S Switches in Low Impact Mode