02-23-2016 02:28 AM - edited 03-10-2019 11:30 PM
Hi,
I'm sure this will have been answered somewhere before.
Please can someone let me know what the best practice is when using 2960S ports configured for low impact mode (PRE-AUTH ACL with basic access) which can no longer reach ISE PSN nodes.
With the restricted dACL, there is no way to overwrite it when the Servers are unavailable and thus the end point will have restricted access. We can't use EEM as it's not supported on the 2960's.
I have heard the only option is to remove the dACL, but that creates a security risk for a small time or is there another way i.e. some sort of Service Policy??
interface GigabitEthernetx/x/x
switchport access vlan 101
switchport mode access
switchport voice vlan 200
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 200
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication violation restrict
mab
snmp trap mac-notification change added
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
no mdix auto
no cdp enable
spanning-tree portfast
!
Thanks in advance.
02-23-2016 09:23 AM
I have faced this issue in the past and have resolved it by one of the following:
1. Used Closed Mode instead of Low-Impact, thus removing the need for pre-auth-acl
2. Used eem-script (not applicable in your situation)
3. Made the pre-auth ACL less restrictive. Not ideal and not as secure but that way users were actually able to get some limited internal resources and access to HTTP/HTTPs so they can get to the internet
4. Utilized the Critical ACL on Failure feature (only available on converged access switches). Perhaps Cisco will bring this feature to regular switches as well:
I hope this helps!
Thank you for rating helpful posts!
02-25-2016 06:34 AM
Hi Neno.
Seems closed mode may have to be the way to go for my situation.
Thanks again Neno.
02-23-2016 02:19 PM
I have also used most of the options that Neno mentions, however another one i figured out recently is using TCL and kron, since EEM is not supported. This will insert a permit ip any any in you acl if all your AAA servers are marked down, it will check once every minute.
Following is how i did it :
IOS Config :
kron policy-list checkradius
cli tclsh radcheck.tcl
!
kron occurrence sched-checkradius in 1 recurring
policy-list checkradius
Copy this contents below to a file called radcheck.tcl, you can change the acl name to fit your solution and tftp it to the switch flash.
--- starts here ----
tclsh
set process_output [exec {show aaa servers | in State:}]
set rad1 [lindex [split $process_output "\n"] 0]
set rad2 [lindex [split $process_output "\n"] 1]
if { [regexp ".*(UP).*" $rad1] } {
puts up
set rad1status 1
} else {
puts down
set rad1status 0
}
if { [regexp ".*(UP).*" $rad2] } {
puts up
set rad2status 1
} else {
puts down
set rad2status 0
}
if {!$rad1status && !$rad2status} {
puts bothhdown
ios_config "ip access-list extended test" "1 permit ip any any"
} else {
puts atleastoneup
ios_config "ip access-list extended test" "no 1"
}
--- ends here ---
Jan
02-25-2016 06:38 AM
I'm not familiar with TCL or Kron Jan.
When the script checks for the Radius Severs, what does it actually look for? Is it the syslog messages that are generated when they go down/up?
Thanks.
02-25-2016 09:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide