cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
9
Replies

ISE Nodes Failure

rmujeeb81
Level 1
Level 1

Hi All,

I want to have idea, how can I configure timer in case both ISE nodes becomes unreachable so that authenticated clients which are already authenticated should remain authenticated till the specified time period. Is this a configurable option ?

Are these commands relevant to above requirement,

radius-server dead-criteria time 5 tries 2

adius-server deadtime 10

Thanks

3 Accepted Solutions

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

The command sets the reauthetication timer when the session-timeout is handed down for the user session.

I want to understand your business requirement for your scenario? Are you looking to extend a reauthentication timer if all radous servers are dead. If so, the followinf command will authorize a client on a vlan if the servers are dead...thay command is...
Authentication event server dead action authorize vlan xx
The next command will reauthenticate the port when the radius server is alive again.
Authentication event server alive reinitialize.

Sent from Cisco Technical Support Android App

View solution in original post

Hi,

I understand where you are coming from, there is a feature enhancement request for this scenario where you can bypass the acl when the servers are dead. I can not find the bug id, but once I come across it I will update this thread.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

I checked my notes and could not find the feature request. You may need to open a tac case to see if one can be referenced for you. I know this is an issue that many customers face and outside of some simple eem scripting there isnt a "radius feature" in the ios that will do this for you.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

9 Replies 9

Ravi Singh
Level 7
Level 7

The above commands are used to detect dead radius server. These will not full fill your requirement. I don't think there is any method to do so.

Hi,

What about following command on the port level,

Authentication timer reauthentication server

Regards,

Tarik Admani
VIP Alumni
VIP Alumni

The command sets the reauthetication timer when the session-timeout is handed down for the user session.

I want to understand your business requirement for your scenario? Are you looking to extend a reauthentication timer if all radous servers are dead. If so, the followinf command will authorize a client on a vlan if the servers are dead...thay command is...
Authentication event server dead action authorize vlan xx
The next command will reauthenticate the port when the radius server is alive again.
Authentication event server alive reinitialize.

Sent from Cisco Technical Support Android App

Hi Tarik,

Yes, the requirement is to keep the ports in authentictaed/authorized status for specified time for e.g 4 hours if both ISE nodes are unreachable.

We have these commands on all ports which you mentioned above however we also have following ACL (which is very restrcitive) on all ports,

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.x.x

permit ip any host 172.22.y.y

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

deny   ip any any

So the requirement is to keep DACL " ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" on the port if both ISE nodes fails instead of above ACL.

So please advice.

Thanks

Hi,

I understand where you are coming from, there is a feature enhancement request for this scenario where you can bypass the acl when the servers are dead. I can not find the bug id, but once I come across it I will update this thread.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks for the quick response.

I will wait for further information.

Also if your scenrio is willing to support eem and tcl scripting you can leverage the test aaa server command, capture the output of all radius servers are dead response and the issue a result where the port based ACL is removed.

Then after you can set another scenario where if the radius server is marked alive after 30 seconds for example you can re-apply the ACL and clear the auth sessions for each of the ports. This will take some effort in testing but is possible.

Once I get the feature request ID your best bet would be to open a TAC case and have your case attached to it.

Thanks,

Tarik Admani
*Please rate helpful posts*

I checked my notes and could not find the feature request. You may need to open a tac case to see if one can be referenced for you. I know this is an issue that many customers face and outside of some simple eem scripting there isnt a "radius feature" in the ios that will do this for you.

thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

I came across following command,

radius-server deadtime [minutes]

" Specifies for how many minutes a RADIUS server that is not responding to authentication requests is passed over by  requests for RADIUS authentication "

So it can be used to meet above explained requirement ?

Thanks & Regards,

Mujeeb

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: