05-24-2024 08:52 AM
Hello,
We use dot1x(radius) and TACACS for device admin. We want to implement critical auth vlan if ISE server is down for dot1x users.
And a similar thing for device admin (TACACS),when first ISE is down we want to be able to still SSH devices.
We have a small deploy of 2 ISE nodes (primary and sec).
This is the config we are planning, please if something is missing could you point it ?:
aaa authentication login default group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization config-commands
aaa authorization exec default group ISE-TACACS local if-authenticated
aaa authorization commands 1 default group ISE-TACACS local if-authenticated
aaa authorization commands 15 default group ISE-TACACS local if-authenticated
aaa authorization network default group ISE-RADIUS
aaa accounting dot1x default start-stop group ISE-RADIUS
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
radius server ISE-Pri
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
automate-tester username test-Ise-User ignore-acct-port probe-on
key ...
!
radius server ISE-Sec
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
automate-tester username test-Ise-User ignore-acct-port probe-on
key ...
!
aaa group server radius ISE-RADIUS
server name ISE-Pri
server name ISE-Sec
username test-Ise-User password 0 xxxxx
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
dot1x system-auth-control
dot1x critical eapo
interface x/x
authentication event fail action next-method
authentication event server dead action authorize vlan <VLAN DATOS>
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
TACACS:
aaa group server tacacs+ ISE-TACACS
server name ISE-Pri
server name ISE-Sec
tacacs server ISE-Pri
address ipv4 10.10.10.11
key ...
tacacs server ISE-Sec
address ipv4 10.10.10.12
key ...
thank you in advance!
Regards
05-24-2024 09:19 AM
@babalao a suggestion I would make would be to add the following interface level command:-
authentication event server alive action reinitialize
this command will reinitialises the connected session once the RADIUS server is alive/up again.
Refer to the ISE prescriptive guides for best practices - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515
05-25-2024 08:33 AM
Hello,
for the failover to other ISE for TACACS (device admin) would be enough with the config I posted? or Am I missing some command?
I am not sure of that.
Thank you!
Regards.
05-25-2024 08:46 AM
@babalao fallback is covered in the guide provided. If both ISE servers in the TACACS group (ISE-TACACS) are down, authentication will fallback to local authentication - you will obviously need to create local accounts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide