Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2930
Views
10
Helpful
9
Replies

When ISE goes down, none of the computers can get to Internet or network shares.

Go to solution
Richard Smale
Level 1
Level 1

‎07-07-2015 02:08 PM - edited ‎03-10-2019 10:53 PM

We are running Cisco ISE 1.4 with machine authentication only and recently had a power outage for about 6 hours. When the UPS batteries drained the ISE servers are connected to, none of the computers could connect to anything. The NIC's on the computers had an error of Authentication Failed. We have "Fallback to unauthorized network access" selected on every computer. Is there a way to allow all the computers to have access to the network and internet as usual when the ISE servers are down?

The port config is below:

switchport access vlan 77
 switchport mode access
 switchport voice vlan 777
 ip access-group ACL-DEFAULT in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 77
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 180
 authentication violation restrict
 mab
 no snmp trap link-status
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x timeout tx-period 10
 qos trust device cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AutoQos-VoIP-Input-Cos-Policy
 service-policy output AutoQos-VoIP-Output-Policy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎07-08-2015 02:20 AM

You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.

 

"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
jan.nielsen
Level 7
Level 7

‎07-08-2015 02:20 AM

You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.

 

"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.

 

0 Helpful

Go to solution
Richard Smale
Level 1
Level 1
In response to jan.nielsen

‎07-27-2015 07:41 AM

Thanks Jan, That worked. I finally figured out how to use EEM with IPSLA and I have the switches monitor the ISE boxes. When an ISE box goes down the ACL's are removed so the users can still get access to the network.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Richard Smale

‎07-27-2015 08:10 AM

Thats great to hear, maybe you could post your config for these eem scripts, so others can find this information?

Just FYI, you could also monitor the local log events on the switch, which will also contain some information about the state of the radius servers. (DEAD vs. ALIVE)

0 Helpful

Go to solution
Richard Smale
Level 1
Level 1
In response to jan.nielsen

‎07-27-2015 09:25 AM

When I get back in the office I will post the script.

 

Monitoring radius servers. (DEAD vs. ALIVE) was not fast enough and not accurate enough. That was one of many options I tried.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Richard Smale

‎07-27-2015 09:28 AM

Thats great, i know a lot of people probably think this just works when you have the "authentication event server dead action authorize vlan xx" command in there, so the more threads where the right solution is, the better. Maybe if we're lucky someday Cisco will have a "authentication event server dead action authorize acl xxx" command for this :-)

0 Helpful

Go to solution
royalblues
Level 10
Level 10
In response to jan.nielsen

‎07-27-2015 11:03 AM

you can use the critical acl feature on the switches which provides permit all access when the Radius servers are unavailable

More info on the below link

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html#_Toc404649488

 

 

Go to solution
jan.nielsen
Level 7
Level 7
In response to royalblues

‎07-27-2015 11:09 AM

Thanks, i had not seen this feature was already available, will have to try this new service template configuration style soon.

0 Helpful

Go to solution
damode
Level 1
Level 1
In response to royalblues

‎02-10-2020 02:37 AM

Link doesnt work anymore. can you please update the link ? 

Thanks.

0 Helpful

Go to solution
Richard Smale
Level 1
Level 1
In response to jan.nielsen

‎09-09-2015 09:18 AM

Here is the script I am using. It works well every time.

ip sla 1
 icmp-echo 10.0.0.6
 threshold 250
 timeout 1000
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts

track 1 ip sla 1 reachability
  delay down 3 up 30


event manager applet ISE_DOWN
event syslog pattern "1 ip sla 1 reachability Up->Down"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "no ip access-list extended Radius"
action 3.0 cli command "end"
action 3.5 cli command "who"

event manager session CLI username My-Login
event manager applet ISE_UP
event syslog pattern "1 ip sla 1 reachability Down->Up"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "IP Access-list extended Radius"
action 2.1 cli command "10 permit udp any eq bootpc any eq bootps"
action 2.2 cli command "20 permit udp any any eq domain"
action 2.3 cli command "30 permit icmp any any"
action 2.4 cli command "40 permit tcp any host 10.0.0.6 eq 8443"
action 2.5 cli command "50 permit tcp any host 10.0.0.6 eq 443"
action 2.6 cli command "60 permit tcp any host 10.0.0.6 eq www"
action 2.7 cli command "70 permit tcp any host 10.0.0.6 eq 815"
action 2.8 cli command "80 permit tcp any host 10.0.0.6 eq 819"
action 2.9 cli command "1 permit udp any host 10.0.0.6 eq 815"
action 3.0 cli command "100 permit udp any host 10.0.0.6 eq 819"
action 3.1 cli command "110 permit tcp any host 10.0.0.8 eq 8443"
action 3.2 cli command "120 permit tcp any host 10.0.0.8 eq 443"
action 3.3 cli command "130 permit tcp any host 10.0.0.8 eq www"
action 3.4 cli command "140 permit tcp any host 10.0.0.8 eq 815"
action 3.5 cli command "150 permit tcp any host 10.0.0.8 eq 819"
action 3.6 cli command "160 permit tcp any host 10.0.0.8 eq 819"
action 3.7 cli command "170 permit udp any host 10.0.0.8 eq 819"
action 3.8 cli command "180 permit tcp any host 10.0.0.10 eq 8443"
action 3.9 cli command "11 permit tcp any host 10.0.0.10 eq 443"
action 4.0 cli command "200 permit tcp any host 10.0.0.10 eq www"
action 4.1 cli command "210 permit tcp any host 10.0.0.10 eq 815"
action 4.2 cli command "220 permit tcp any host 10.0.0.10 eq 819"
action 4.3 cli command "230 permit udp any host 10.0.0.10 eq 815"
action 4.4 cli command "240 permit udp any host 10.0.0.10 eq 819"
action 4.5 cli command "500 deny ip any any"
action 4.6 cli command "end"
action 4.7 cli command "wri"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents