Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4459
Views
5
Helpful
3
Replies

ISE Authentication bypass in critical situation

Go to solution
pasupuleti.rmr
Level 1
Level 1

‎01-24-2018 11:53 PM

Hello,

My self Ram Mohan from INDIA. I am using Cisco ISE in our organization. I faced one issue recent days which is created a big problem.

Incident ;-

3 days back all the end-users login into the system, after login NAC agent not initiated to check the posture.

This issue effected in entire organization. so that they can't able to access intranet as well as internet.

For temporarily...i just removed NAC configuration on switch-port and allowed the network access.

in that situation i struggled a lot to remove NAC configuration in entire access switches (52 Switches) which is located in all floors.

My query ... is there any option or specific configuration to bypass the ISE system in above critical situation ??

Please let me know if there is any chance to overcome this issue.


Version Details:-


Version                   :     2.2.0.470

NAC Agent Ver       :    4.9.5.10

ADE OS Ver           :     3.0.2.218




Thanks ,

Rama Mohan Rao P

1 Accepted Solution

Accepted Solutions

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎01-25-2018 10:09 AM

Hello,

You can disable posture policies on ISE in such cases, also change the authorization policies to permit network access irrespective of the posture status. Modifying the switch configuration is not necessary, as long it can talk to ISE.

Do you have a TAC case open to understand why the NAC agent failed to do posture?

~Hari

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎01-25-2018 10:09 AM

Hello,

You can disable posture policies on ISE in such cases, also change the authorization policies to permit network access irrespective of the posture status. Modifying the switch configuration is not necessary, as long it can talk to ISE.

Do you have a TAC case open to understand why the NAC agent failed to do posture?

~Hari

0 Helpful

Go to solution
pasupuleti.rmr
Level 1
Level 1
In response to hariholla

‎01-28-2018 10:45 PM

Hello Mr.Hari,

Thank you for your reply.

actually I just disabled the posture policies on ISE when the incident happened. But before that all the systems hang on and showing exclamation mark (Yellow colour triangle) on LAN Icon. I just capture the Posture Policy for your reference.

lease check and let me know is any further step I have to take.

2018-01-29_114925.jpg

Reg TAC Case :

TAC engineer suggested to upgrade Patch 5 and done the same.

I just discussed with TAC Engineer and sent ise-support-bundle logs before and after the issue was raised.

waiting for his response to know exact cause of the problem.

wander is before patch 5 up gradation it self, problem has resolved.

only that day getting issue with NAC agent. next day I just tried in test systems its running well..

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-26-2018 09:45 PM

Perhaps, this is what you are looking for -- 802.1x Authentication with Inaccessible Authentication Bypass

0 Helpful
Customers Also Viewed These Support Documents