ISE - Radius and TACACS server fail detection config in Switches

babalao · ‎05-24-2024

Hello,

We use dot1x(radius) and TACACS for device admin. We want to implement critical auth vlan if ISE server is down for dot1x users.

And a similar thing for device admin (TACACS),when first ISE is down we want to be able to still SSH devices.

We have a small deploy of 2 ISE nodes (primary and sec).

This is the config we are planning, please if something is missing could you point it ?:

aaa authentication login default group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization config-commands
aaa authorization exec default group ISE-TACACS local if-authenticated
aaa authorization commands 1 default group ISE-TACACS local if-authenticated
aaa authorization commands 15 default group ISE-TACACS local if-authenticated
aaa authorization network default group ISE-RADIUS
aaa accounting dot1x default start-stop group ISE-RADIUS
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS

radius server ISE-Pri
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
automate-tester username test-Ise-User ignore-acct-port probe-on
key ...
!
radius server ISE-Sec
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
automate-tester username test-Ise-User ignore-acct-port probe-on
key ...
!
aaa group server radius ISE-RADIUS
server name ISE-Pri
server name ISE-Sec

username test-Ise-User password 0 xxxxx

radius-server dead-criteria time 10 tries 3
radius-server deadtime 15

dot1x system-auth-control
dot1x critical eapo

interface x/x
authentication event fail action next-method
authentication event server dead action authorize vlan <VLAN DATOS>
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

TACACS:

aaa group server tacacs+ ISE-TACACS
server name ISE-Pri
server name ISE-Sec

tacacs server ISE-Pri
address ipv4 10.10.10.11
key ...
tacacs server ISE-Sec
address ipv4 10.10.10.12
key ...

thank you in advance!

Regards

Rob Ingram · ‎05-24-2024

@babalao a suggestion I would make would be to add the following interface level command:-

authentication event server alive action reinitialize

this command will reinitialises the connected session once the RADIUS server is alive/up again.

Refer to the ISE prescriptive guides for best practices - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

babalao · ‎05-25-2024

Hello,

for the failover to other ISE for TACACS (device admin) would be enough with the config I posted? or Am I missing some command?

I am not sure of that.

Thank you!

Regards.

Rob Ingram · ‎05-25-2024

@babalao fallback is covered in the guide provided. If both ISE servers in the TACACS group (ISE-TACACS) are down, authentication will fallback to local authentication - you will obviously need to create local accounts.