Hello Alex-

alex goshtaei · ‎08-03-2016

Hi All,

I've deployed ISE in central site with 10 remote small locations. I am wondering the best practices, when ISE is not available from remote site to the central site. if this happens, how users can authenticate. I'm thinking we should use below commands in the case ISE is not reachable:

authentication event server dead action authorize vlan 2
authentication event server alive action reinitialize

any suggestion would be appreciated.

thanks

Alex

nspasov · ‎08-07-2016

Hello Alex-

There are several things to consider depending on the type of ISE rollout you have.

For Wired:

- Yes, you can definitely take advantage of the commands that you referenced. This works well if you are using Closed Mode. If you are using Low-Impact mode, then you have to use a method to remove/alter the pre-auth ACL. In normal circumstances, ISE pushes a dACL that replaces the pre-auth ACL. So your options to remove the pre-auth ACL are:

--- Use the critical ACL - This works well but it is only available with the new/converged access switches (3850 and 3560)

--- Use an eem script

--- Use a cron job

- In addition, if the site is big and/or important enough, then you can place a local PSN for extra redundancy

For Wireless:

- In the wireless world, there isn't a "fail-open" mode or "try the next method" type features. Thus, your options here are:

--- Place a local PSN

--- Use a fall-back method. For instance, RADIUS and/or LDAP off the local Domain Controller

--- Stand up a temporary SSID with PSK and/or another method that does not rely on RADIUS

For VPN:

- Same as with wireless, there isn't a fail-open mechanism here

- You can use a fallback method like another LDAP, RADIUS or even locally defined users

I hope this helps!

Thank you for rating helpful posts!

ISE design question