02-12-2015 05:08 AM - edited 03-10-2019 10:26 PM
Hello there,
I´d like to know how to give access for users when ISE is dead.
I´m asking that because I´m using pre authentication ACL, so even with the command authentication event server dead action authorize vlan XX the access will be limited, will not it?
My pre authentication acl allow access only to ISE, DNS and DHCP requests.
Regards.
Solved! Go to Solution.
02-18-2015 06:31 PM
Andre-
I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:
1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)
eem script example:
2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage.
I hope this helps!
Thank you for rating helpful posts!
02-13-2015 05:07 PM
Hi Andre-
Can you tell me:
- Model of switches used
- Version of code running
- Image running (IP Base, IP Services, etc)
Thank you for rating helpful posts!
02-15-2015 08:58 AM
You could use a preauth ACL of 'permit ip any any'. As long as ISE is functioning it can assign a tailored dynamic ACL for both a 802.1X-enabled endpoint and another (more restrictive) ACL for nonresponsive (MAB) endpoint according to the authorization rules.
If the ISE fails, the authentication event server dead action authorize vlan command places the port into a suitable critical VLAN.
02-18-2015 02:55 PM
Hi Peter,
my pre authentication ACL only allow access to ISE, DNS and DHCP requests.
If the ISE fails and I put the users on a critical VLAN the ACL will still limiting the access, right?
02-18-2015 03:18 PM
Hello Neno,
- Model of switches used: 2960
- Version of code running: 12.2(55)SE3
- Image running (IP Base, IP Services, etc): IP Base.
02-18-2015 06:31 PM
Andre-
I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:
1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)
eem script example:
2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage.
I hope this helps!
Thank you for rating helpful posts!
02-19-2015 07:18 AM
Thanks Neno,
I´ll try an EEM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide