Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE AAA Failures for 2960S Switches in Low Impact Mode


I'm sure this will have been answered somewhere before.

Please can someone let me know what the best practice is when using 2960S ports configured for low impact mode (PRE-AUTH ACL with basic access) which can no longer reach ISE PSN nodes.

With the restricted dACL, there is no way to overwrite it when the Servers are unavailable and thus the end point will have restricted access. We can't use EEM as it's not supported on the 2960's.

I have heard the only option is to remove the dACL, but that creates a security risk for a small time or is there another way i.e. some sort of Service Policy?? 

interface GigabitEthernetx/x/x

switchport access vlan 101

switchport mode access

switchport voice vlan 200

srr-queue bandwidth share 1 30 35 5

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize vlan 200

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication violation restrict


snmp trap mac-notification change added

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

auto qos trust

no mdix auto

no cdp enable

spanning-tree portfast


Thanks in advance.

Cisco Employee

I have faced this issue in

I have faced this issue in the past and have resolved it by one of the following:

1. Used Closed Mode instead of Low-Impact, thus removing the need for pre-auth-acl

2. Used eem-script (not applicable in your situation)

3. Made the pre-auth ACL less restrictive. Not ideal and not as secure but that way users were actually able to get some limited internal resources and access to HTTP/HTTPs so they can get to the internet

4. Utilized the Critical ACL on Failure feature (only available on converged access switches). Perhaps Cisco will bring this feature to regular switches as well:

I hope this helps!

Thank you for rating helpful posts!


Hi Neno.

Hi Neno.

Seems closed mode may have to be the way to go for my situation.

Thanks again Neno.

Rising star

I have also used most of the

I have also used most of the options that Neno mentions, however another one i figured out recently is using TCL and kron, since EEM is not supported. This will insert a permit ip any any in you acl if all your AAA servers are marked down, it will check once every minute.

Following is how i did it :

IOS Config :

kron policy-list checkradius
 cli tclsh radcheck.tcl
kron occurrence sched-checkradius in 1 recurring
 policy-list checkradius

Copy this contents below to a file called radcheck.tcl, you can change the acl name to fit your solution and tftp it to the switch flash.

--- starts here ----

set process_output [exec {show aaa servers | in State:}]

set rad1 [lindex [split $process_output "\n"] 0]
set rad2 [lindex [split $process_output "\n"] 1]

if { [regexp ".*(UP).*" $rad1] } {
puts up
set rad1status 1
} else {
 puts down
 set rad1status 0

if { [regexp ".*(UP).*" $rad2] } {
puts up
set rad2status 1
} else {
 puts down
 set rad2status 0

if {!$rad1status && !$rad2status} {
puts bothhdown
ios_config "ip access-list extended test" "1 permit ip any any"
} else {
puts atleastoneup
ios_config "ip access-list extended test" "no 1"

--- ends here ---



I'm not familiar with TCL or

I'm not familiar with TCL or Kron Jan.

When the script checks for the Radius Severs, what does it actually look for? Is it the syslog messages that are generated when they go down/up?


Rising star

The script runs the command

The script runs the command "show aaa servers" which will output the UP/DOWN state of each radius server configured, and looks to see if they are all down.