07-07-2015 02:08 PM - edited 03-10-2019 10:53 PM
We are running Cisco ISE 1.4 with machine authentication only and recently had a power outage for about 6 hours. When the UPS batteries drained the ISE servers are connected to, none of the computers could connect to anything. The NIC's on the computers had an error of Authentication Failed. We have "Fallback to unauthorized network access" selected on every computer. Is there a way to allow all the computers to have access to the network and internet as usual when the ISE servers are down?
The port config is below:
switchport access vlan 77
switchport mode access
switchport voice vlan 777
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 77
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
no snmp trap link-status
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-VoIP-Input-Cos-Policy
service-policy output AutoQos-VoIP-Output-Policy
Solved! Go to Solution.
07-08-2015 02:20 AM
You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.
"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.
07-08-2015 02:20 AM
You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.
"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.
07-27-2015 07:41 AM
Thanks Jan, That worked. I finally figured out how to use EEM with IPSLA and I have the switches monitor the ISE boxes. When an ISE box goes down the ACL's are removed so the users can still get access to the network.
07-27-2015 08:10 AM
Thats great to hear, maybe you could post your config for these eem scripts, so others can find this information?
Just FYI, you could also monitor the local log events on the switch, which will also contain some information about the state of the radius servers. (DEAD vs. ALIVE)
07-27-2015 09:25 AM
When I get back in the office I will post the script.
Monitoring radius servers. (DEAD vs. ALIVE) was not fast enough and not accurate enough. That was one of many options I tried.
07-27-2015 09:28 AM
Thats great, i know a lot of people probably think this just works when you have the "authentication event server dead action authorize vlan xx" command in there, so the more threads where the right solution is, the better. Maybe if we're lucky someday Cisco will have a "authentication event server dead action authorize acl xxx" command for this :-)
07-27-2015 11:03 AM
you can use the critical acl feature on the switches which provides permit all access when the Radius servers are unavailable
More info on the below link
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html#_Toc404649488
07-27-2015 11:09 AM
Thanks, i had not seen this feature was already available, will have to try this new service template configuration style soon.
02-10-2020 02:37 AM
Link doesnt work anymore. can you please update the link ?
Thanks.
09-09-2015 09:18 AM
Here is the script I am using. It works well every time.
ip sla 1
icmp-echo 10.0.0.6
threshold 250
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
track 1 ip sla 1 reachability
delay down 3 up 30
event manager applet ISE_DOWN
event syslog pattern "1 ip sla 1 reachability Up->Down"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "no ip access-list extended Radius"
action 3.0 cli command "end"
action 3.5 cli command "who"
event manager session CLI username My-Login
event manager applet ISE_UP
event syslog pattern "1 ip sla 1 reachability Down->Up"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "IP Access-list extended Radius"
action 2.1 cli command "10 permit udp any eq bootpc any eq bootps"
action 2.2 cli command "20 permit udp any any eq domain"
action 2.3 cli command "30 permit icmp any any"
action 2.4 cli command "40 permit tcp any host 10.0.0.6 eq 8443"
action 2.5 cli command "50 permit tcp any host 10.0.0.6 eq 443"
action 2.6 cli command "60 permit tcp any host 10.0.0.6 eq www"
action 2.7 cli command "70 permit tcp any host 10.0.0.6 eq 815"
action 2.8 cli command "80 permit tcp any host 10.0.0.6 eq 819"
action 2.9 cli command "1 permit udp any host 10.0.0.6 eq 815"
action 3.0 cli command "100 permit udp any host 10.0.0.6 eq 819"
action 3.1 cli command "110 permit tcp any host 10.0.0.8 eq 8443"
action 3.2 cli command "120 permit tcp any host 10.0.0.8 eq 443"
action 3.3 cli command "130 permit tcp any host 10.0.0.8 eq www"
action 3.4 cli command "140 permit tcp any host 10.0.0.8 eq 815"
action 3.5 cli command "150 permit tcp any host 10.0.0.8 eq 819"
action 3.6 cli command "160 permit tcp any host 10.0.0.8 eq 819"
action 3.7 cli command "170 permit udp any host 10.0.0.8 eq 819"
action 3.8 cli command "180 permit tcp any host 10.0.0.10 eq 8443"
action 3.9 cli command "11 permit tcp any host 10.0.0.10 eq 443"
action 4.0 cli command "200 permit tcp any host 10.0.0.10 eq www"
action 4.1 cli command "210 permit tcp any host 10.0.0.10 eq 815"
action 4.2 cli command "220 permit tcp any host 10.0.0.10 eq 819"
action 4.3 cli command "230 permit udp any host 10.0.0.10 eq 815"
action 4.4 cli command "240 permit udp any host 10.0.0.10 eq 819"
action 4.5 cli command "500 deny ip any any"
action 4.6 cli command "end"
action 4.7 cli command "wri"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide