cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1454
Views
10
Helpful
9
Replies
Highlighted
Beginner

When ISE goes down, none of the computers can get to Internet or network shares.

We are running Cisco ISE 1.4 with machine authentication only and recently had a power outage for about 6 hours. When the UPS batteries drained the ISE servers are connected to, none of the computers could connect to anything. The NIC's on the computers had an error of Authentication Failed. We have "Fallback to unauthorized network access" selected on every computer. Is there a way to allow all the computers to have access to the network and internet as usual when the ISE servers are down?

The port config is below:

switchport access vlan 77
 switchport mode access
 switchport voice vlan 777
 ip access-group ACL-DEFAULT in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 77
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 180
 authentication violation restrict
 mab
 no snmp trap link-status
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x timeout tx-period 10
 qos trust device cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AutoQos-VoIP-Input-Cos-Policy
 service-policy output AutoQos-VoIP-Output-Policy

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

You need to use some EEM

You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.

 

"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.

 

View solution in original post

9 REPLIES 9
Highlighted
Rising star

You need to use some EEM

You need to use some EEM script to change the ip access-list you have assigned to the interface, to something with "permit ip any any" in it.

 

"authentication event server dead action authorize vlan 77" will only work in closed mode configurations, which don't use a pre-auth acl.

 

View solution in original post

Highlighted
Beginner

Thanks Jan, That worked. I

Thanks Jan, That worked. I finally figured out how to use EEM with IPSLA and I have the switches monitor the ISE boxes. When an ISE box goes down the ACL's are removed so the users can still get access to the network.

Highlighted
Rising star

Thats great to hear, maybe

Thats great to hear, maybe you could post your config for these eem scripts, so others can find this information?

Just FYI, you could also monitor the local log events on the switch, which will also contain some information about the state of the radius servers. (DEAD vs. ALIVE)

Highlighted
Beginner

When I get back in the office

When I get back in the office I will post the script.

 

Monitoring radius servers. (DEAD vs. ALIVE) was not fast enough and not accurate enough. That was one of many options I tried.

Highlighted
Rising star

Thats great, i know a lot of

Thats great, i know a lot of people probably think this just works when you have the "authentication event server dead action authorize vlan xx" command in there, so the more threads where the right solution is, the better. Maybe if we're lucky someday Cisco will have a "authentication event server dead action authorize acl xxx" command for this :-)

Highlighted
Advocate

you can use the critical acl

you can use the critical acl feature on the switches which provides permit all access when the Radius servers are unavailable

More info on the below link

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html#_Toc404649488

 

 

Highlighted
Rising star

Thanks, i had not seen this

Thanks, i had not seen this feature was already available, will have to try this new service template configuration style soon.

Highlighted
Beginner

Re: you can use the critical acl

Link doesnt work anymore. can you please update the link ? 

Thanks.

Highlighted
Beginner

Here is the script I am using

Here is the script I am using. It works well every time.

ip sla 1
 icmp-echo 10.0.0.6
 threshold 250
 timeout 1000
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts

track 1 ip sla 1 reachability
  delay down 3 up 30


event manager applet ISE_DOWN
event syslog pattern "1 ip sla 1 reachability Up->Down"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "no ip access-list extended Radius"
action 3.0 cli command "end"
action 3.5 cli command "who"

event manager session CLI username My-Login
event manager applet ISE_UP
event syslog pattern "1 ip sla 1 reachability Down->Up"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "IP Access-list extended Radius"
action 2.1 cli command "10 permit udp any eq bootpc any eq bootps"
action 2.2 cli command "20 permit udp any any eq domain"
action 2.3 cli command "30 permit icmp any any"
action 2.4 cli command "40 permit tcp any host 10.0.0.6 eq 8443"
action 2.5 cli command "50 permit tcp any host 10.0.0.6 eq 443"
action 2.6 cli command "60 permit tcp any host 10.0.0.6 eq www"
action 2.7 cli command "70 permit tcp any host 10.0.0.6 eq 815"
action 2.8 cli command "80 permit tcp any host 10.0.0.6 eq 819"
action 2.9 cli command "1 permit udp any host 10.0.0.6 eq 815"
action 3.0 cli command "100 permit udp any host 10.0.0.6 eq 819"
action 3.1 cli command "110 permit tcp any host 10.0.0.8 eq 8443"
action 3.2 cli command "120 permit tcp any host 10.0.0.8 eq 443"
action 3.3 cli command "130 permit tcp any host 10.0.0.8 eq www"
action 3.4 cli command "140 permit tcp any host 10.0.0.8 eq 815"
action 3.5 cli command "150 permit tcp any host 10.0.0.8 eq 819"
action 3.6 cli command "160 permit tcp any host 10.0.0.8 eq 819"
action 3.7 cli command "170 permit udp any host 10.0.0.8 eq 819"
action 3.8 cli command "180 permit tcp any host 10.0.0.10 eq 8443"
action 3.9 cli command "11 permit tcp any host 10.0.0.10 eq 443"
action 4.0 cli command "200 permit tcp any host 10.0.0.10 eq www"
action 4.1 cli command "210 permit tcp any host 10.0.0.10 eq 815"
action 4.2 cli command "220 permit tcp any host 10.0.0.10 eq 819"
action 4.3 cli command "230 permit udp any host 10.0.0.10 eq 815"
action 4.4 cli command "240 permit udp any host 10.0.0.10 eq 819"
action 4.5 cli command "500 deny ip any any"
action 4.6 cli command "end"
action 4.7 cli command "wri"