Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
128
Views
0
Helpful
2
Replies

Network Access with Cisco ISE & Entra ID During Internet Outages

MSN
Level 1
Level 1

‎02-09-2025 04:17 AM

We have a remote site with a single ISP internet connection and no on-premises AD, DNS, or domain controllers. Our setup includes:

Cisco ISE for network access control with Microsoft Entra ID as a REST ID store for user authentication.
Microsoft Intune (MDM) integrated with ISE for device compliance checks.
Access switches, WLC and a firewall (no local servers).

Our concern: If the internet goes down, we will lose connection to both Entra ID and Intune from cisco ISE, causing authentication to fail. This could prevent users from accessing the network.

How can we ensure users can still authenticate if the internet is down?
Can we set up a fallback method in ISE to allow logins during an outage?
Are there any caching options or backup authentication methods we can use?

0 Helpful
2 Replies 2

Scott Fella
Hall of Fame
Hall of Fame

‎02-09-2025 09:59 AM

I would guess you can create another rule below your Entra ID rule to Auth using EAP-TLS or PEAP. You would have to look at the current attributes when Entra ID is working so you can define a good policy. Or maybe change your Entra ID policy to continue and not drop. It’s something you have to tinker with. 

-Scott
*** Please rate helpful posts ***
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-09-2025 01:29 PM

So, if I understand correctly, you have a local ISE PSN at the site but all of your Identity Providers are remote. Is that correct?

Typically, a design with a local PSN for scenarios like a WAN outage would also require local resources like Identity Providers and any other dependent systems.

In the case of Entra ID, the authentication is only being done based on a valid certificate anyway and ISE is only performing Authorization against Entra ID. For this failure scenario, you could have an AuthZ Policy that only matches on the certificate attributes, but you would likely want to have it disabled in normal operations and only enable it as a 'break glass' option in the case of an outage.

If the IdP resources cannot be co-located with the PSN at remote sites, these types of WAN outage scenarios are more typically handled directly by the switches using Critical Authorization and other features of the IBNS 2.0 framework.

0 Helpful
Customers Also Viewed These Support Documents