Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
4
Replies

Re-Authenticate End hosts after ISE failure

ShaunGreen
Level 1
Level 1

‎04-17-2020 11:40 AM

Dear All,

We are using IBNS 2.0 with dot1x and mab.

Everything so far is working in our testing and when we simulate an ISE failure the Critical service template allows the end hosts access to the network.

When the ISE server comes back online, the dot1x hosts re-authenticate and pickup their correct policy sets.

But the MAB (profiled) devices stay in the Critical state.

Does anyone know the best procedure to automatically re-authenticate these devices once the ISE server is back online?

Thanks in advance.

0 Helpful
4 Replies 4

poongarg
Cisco Employee
Cisco Employee

‎04-18-2020 05:28 PM

Please attach the "sh tech" output from the switch.

0 Helpful

ShaunGreen
Level 1
Level 1
In response to poongarg

‎04-20-2020 12:05 AM

Hi, Thanks for your interest.

To give some more information, I closed down the ISE application on Friday evening. Everything failed over using the 'Critical' service template (screen shot below).

When the Radius servers are back online, the dot1x hosts re-autenticate, but the MAB profiled devices are still staying on the Critical service template.

We could manually carry out a COA from ISE for these hosts, but I'm wondering if there is a way to configure re-authentication once the ISE is up and running without manual intervention?

Code is 16.9.4

 

 

 

Preview file
337 KB
Preview file
245 KB
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to ShaunGreen

‎04-20-2020 08:34 AM

It appears you may be missing policy required to resume authentication once AAA comes back online, you need to exit critical auth. If you follow Hari's secure wired access prescriptive guide you can see how this could be done.
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

ex. 
"event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication"
Table7.png

0 Helpful

ShaunGreen
Level 1
Level 1
In response to Damien Miller

‎04-24-2020 12:34 AM

Hi Damien,

Thanks for you assistance, it took me a while to test this and to be honest, IBNS2.0 is a bit tricky to get your head around after being used to the 'old' ways....but it now looks to be working well.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents