cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1370
Views
0
Helpful
6
Replies
Highlighted
Enthusiast

Access with ISE server dead

Hello there,
I´d like to know how to give access for users when ISE is dead.
I´m asking that because I´m using pre authentication ACL, so even with the command authentication event server dead action authorize vlan XX the access will be limited, will not it?

My pre authentication acl allow access only to ISE, DNS and DHCP requests.

 

Regards.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Andre-I am afraid you don't

Andre-

I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:

1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

eem script example:

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage. 

I hope this helps!

 

Thank you for rating helpful posts!

6 REPLIES 6
Cisco Employee

Hi Andre-Can you tell me:-

Hi Andre-

Can you tell me:

- Model of switches used

- Version of code running

- Image running (IP Base, IP Services, etc)

 

Thank you for rating helpful posts!

Contributor

You could use a preauth ACL

You could use a preauth ACL of 'permit ip any any'. As long as ISE is functioning it can assign a tailored dynamic ACL for both a 802.1X-enabled endpoint and another (more restrictive) ACL for nonresponsive (MAB) endpoint according to the authorization rules.

 

If the ISE fails, the authentication event server dead action authorize vlan command places the port into a suitable critical VLAN.

 

 

Enthusiast

Hi Peter,my pre

Hi Peter,

my pre authentication ACL only allow access to ISE, DNS and DHCP requests.

If the ISE fails and I put the users on a critical VLAN the ACL will still limiting the access, right?

 

Enthusiast

Hello Neno,- Model of

Hello Neno,

- Model of switches used: 2960

- Version of code running: 12.2(55)SE3

- Image running (IP Base, IP Services, etc): IP Base.

 

Cisco Employee

Andre-I am afraid you don't

Andre-

I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:

1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

eem script example:

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage. 

I hope this helps!

 

Thank you for rating helpful posts!

Enthusiast

Thanks Neno,I´ll try an EEM.

Thanks Neno,

I´ll try an EEM.