cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2784
Views
0
Helpful
6
Replies

Access with ISE server dead

andre.ortega
Spotlight
Spotlight

Hello there,
I´d like to know how to give access for users when ISE is dead.
I´m asking that because I´m using pre authentication ACL, so even with the command authentication event server dead action authorize vlan XX the access will be limited, will not it?

My pre authentication acl allow access only to ISE, DNS and DHCP requests.

 

Regards.

1 Accepted Solution

Accepted Solutions

Andre-

I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:

1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

eem script example:

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage. 

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

6 Replies 6

nspasov
Cisco Employee
Cisco Employee

Hi Andre-

Can you tell me:

- Model of switches used

- Version of code running

- Image running (IP Base, IP Services, etc)

 

Thank you for rating helpful posts!

You could use a preauth ACL of 'permit ip any any'. As long as ISE is functioning it can assign a tailored dynamic ACL for both a 802.1X-enabled endpoint and another (more restrictive) ACL for nonresponsive (MAB) endpoint according to the authorization rules.

 

If the ISE fails, the authentication event server dead action authorize vlan command places the port into a suitable critical VLAN.

 

 

Hi Peter,

my pre authentication ACL only allow access to ISE, DNS and DHCP requests.

If the ISE fails and I put the users on a critical VLAN the ACL will still limiting the access, right?

 

Hello Neno,

- Model of switches used: 2960

- Version of code running: 12.2(55)SE3

- Image running (IP Base, IP Services, etc): IP Base.

 

Andre-

I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:

1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

eem script example:

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage. 

I hope this helps!

 

Thank you for rating helpful posts!

Thanks Neno,

I´ll try an EEM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: