Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2184
Views
10
Helpful
9
Replies
Richard Smale
Beginner
Beginner
‎07-07-2015 02:08 PM
‎07-07-2015 02:08 PM

When ISE goes down, none of the computers can get to Internet or network shares.

We are running Cisco ISE 1.4 with machine authentication only and recently had a power outage for about 6 hours. When the UPS batteries drained the ISE servers are connected to, none of the computers could connect to anything. The NIC's on the computers had an error of Authentication Failed. We have "Fallback to unauthorized network access" selected on every computer. Is there a way to allow all the computers to have access to the network and internet as usual when the ISE servers are down?

The port config is below:

switchport access vlan 77
 switchport mode access
 switchport voice vlan 777
 ip access-group ACL-DEFAULT in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 77
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 180
 authentication violation restrict
 mab
 no snmp trap link-status
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x timeout tx-period 10
 qos trust device cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AutoQos-VoIP-Input-Cos-Policy
 service-policy output AutoQos-VoIP-Output-Policy

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
jan.nielsen
Rising star
Rising star
‎07-08-2015 02:20 AM
‎07-08-2015 02:20 AM

You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.

 

"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.

 

View solution in original post

0 Helpful
9 REPLIES 9
jan.nielsen
Rising star
Rising star