Solved: Critical auth and restrictive access-list

bikespace · ‎06-05-2013

I'm just playing about with ISE 1.1.4 and critical auth, but I have a fairly locked down default access list on the ports. Is there any way of overriding a very restrictive default access list in the event of a critical auth situation?

It seems like if you're relieant on dACL's to provide access for devices (from closed mode or similar) that the critical auth is not a viable option?

Or have I misunderstood, and maybe "authentication event server dead action authorize voice" does more than I'm expecting.

I suppose I'm searching for something like "authentication event server dead action access-list less-restrictiveACL"

Thanks,

Gaz

Richard Atkin · ‎06-05-2013

Why not flip it on its head and have your less-restrictive-ACL as the default, and impose the more restrictive things via dACL?

View solution in original post

Richard Atkin · ‎06-05-2013

Why not flip it on its head and have your less-restrictive-ACL as the default, and impose the more restrictive things via dACL?

bikespace · ‎06-05-2013

Yeah, considered that, just leaves things a bit open until auth is completed. Not a massive threat but "tangible" as the bullsh1t bingo crew would say :-)

Sent from Cisco Technical Support iPhone App

Richard Atkin · ‎06-05-2013

Not really, if you're doing .1X then the ACL doesn't come in to life until after 1X has been completed...

Sent from Cisco Technical Support iPhone App

bikespace · ‎06-05-2013

See your point. So for closed mode I'm happy that I don't really need any control at all in my default ACL.

If I'm working in low impact mode, so open auth and a fairly tight default access list, if my ISE server falls over, I'm stuck with the restrictions of my default ACL.

If on the other hand, in low impact mode I'm worried about my ISE falling over, so I have a slack default access list; if a client doesn't have dot1x, they will have 45 seconds or so until dot1x fails over to MAB, where they can take advantage of my slack access list. Then they get a dacl applied (or whatever MAB gets them to).

I'm guessing, if I'm worried about ISE dying I need to be in closed mode so that it can fail open.

Phew... Make any sense?

Sent from Cisco Technical Support iPhone App

Richard Atkin · ‎06-05-2013

That does make sense, yes.

What you could also do is;

Get rid of the default ACL

Change the default VLAN to a semi-isolated network segment to keep your security paranoid guys happy

Use CoA from ISE to assign all VLANs, regardless of MAB or 1X auth

In the event of a failure, fail open to a different VLAN that has the amount of access you need.

J. Aske · ‎08-20-2013

One method I use to fail-open if all your PSN's are unavailable is to use the EEM to monitor the switch syslog.

This script inserts a "permit ip any any" on your first line of the default acl.

Hope this helps.

event manager applet default-acl-fallback

event syslog pattern "%RADIUS-3-ALLDEADSERVER" maxrun 5

action 1.0 cli command "enable"

action 1.1 cli command "conf t" pattern "CNTL/Z."

action 2.0 cli command "ip access-list extended ACL-DEFAULT"

action 3.0 cli command "1 permit ip any any"

action 4.0 cli command "end"

event manager applet default-acl-recovery

event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5

action 1.0 cli command "enable"

action 1.1 cli command "conf t" pattern "CNTL/Z."

action 2.0 cli command "ip access-list extended ACL-DEFAULT"

action 3.0 cli command "no 1 permit ip any any"

action 4.0 cli command "end"