cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

517
Views
5
Helpful
6
Replies
Highlighted
Beginner

Critical auth and restrictive access-list

I'm just playing about with ISE 1.1.4 and critical auth, but I have a fairly locked down default access list on the ports. Is there any way of overriding a very restrictive default access list in the event of a critical auth situation?

It seems like if you're relieant on dACL's to provide access for devices (from closed mode or similar) that the critical auth is not a viable option?

Or have I misunderstood, and maybe "authentication event server dead action authorize voice" does more than I'm expecting.

I suppose I'm searching for something like "authentication event server dead action access-list less-restrictiveACL"

Thanks,

Gaz

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Critical auth and restrictive access-list

Why not flip it on its head and have your less-restrictive-ACL as the default, and impose the more restrictive things via dACL?

View solution in original post

6 REPLIES 6
Enthusiast

Critical auth and restrictive access-list

Why not flip it on its head and have your less-restrictive-ACL as the default, and impose the more restrictive things via dACL?

View solution in original post

Beginner

Re: Critical auth and restrictive access-list

Yeah, considered that, just leaves things a bit open until auth is completed. Not a massive threat but "tangible" as the bullsh1t bingo crew would say :-)

Sent from Cisco Technical Support iPhone App

Enthusiast

Re: Critical auth and restrictive access-list

Not really, if you're doing .1X then the ACL doesn't come in to life until after 1X has been completed...

Sent from Cisco Technical Support iPhone App

Beginner

Re: Critical auth and restrictive access-list

See your point. So for closed mode I'm happy that I don't really need any control at all in my default ACL.

If I'm working in low impact mode, so open auth and a fairly tight default access list, if my ISE server falls over, I'm stuck with the restrictions of my default ACL.

If on the other hand, in low impact mode I'm worried about my ISE falling over, so I have a slack default access list; if a client doesn't have dot1x, they will have 45 seconds or so until dot1x fails over to MAB, where they can take advantage of my slack access list. Then they get a dacl applied (or whatever MAB gets them to).

I'm guessing, if I'm worried about ISE dying I need to be in closed mode so that it can fail open.

Phew... Make any sense?

Sent from Cisco Technical Support iPhone App

Enthusiast

Re: Critical auth and restrictive access-list

That does make sense, yes.

What you could also do is;

Get rid of the default ACL

Change the default VLAN to a semi-isolated network segment to keep your security paranoid guys happy

Use CoA from ISE to assign all VLANs, regardless of MAB or 1X auth

In the event of a failure, fail open to a different VLAN that has the amount of access you need.

Beginner

Critical auth and restrictive access-list

One method I use to fail-open if all your PSN's are unavailable is to use the EEM to monitor the switch syslog.

This script inserts a "permit ip any any" on your first line of the default acl.

Hope this helps.

event manager applet default-acl-fallback

event syslog pattern "%RADIUS-3-ALLDEADSERVER" maxrun 5

action 1.0 cli command "enable"

action 1.1 cli command "conf t" pattern "CNTL/Z."

action 2.0 cli command "ip access-list extended ACL-DEFAULT"

action 3.0 cli command "1 permit ip any any"

action 4.0 cli command "end"

event manager applet default-acl-recovery

event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5

action 1.0 cli command "enable"

action 1.1 cli command "conf t" pattern "CNTL/Z."

action 2.0 cli command "ip access-list extended ACL-DEFAULT"

action 3.0 cli command "no 1 permit ip any any"

action 4.0 cli command "end"