02-15-2018 11:08 AM - edited 02-21-2020 10:45 AM
I want to understand the switchport or ISE config required that if switch cannot contact ISE server that the authentication fails open
I believe it's called Fail Open, but I want to make sure if the ISE server is unreachable that user still connects to VLAN configured on port
Thanks
02-15-2018 12:35 PM
Hi Roger,
Try these interface level commands:
authentication event server dead action reinitialize vlan X
authentication event server dead action authorize voice
authentication event server alive action reinitialize
// You will need the global dead-time criteria set in order to detect a dead AAA server
radius-server dead-criteria time 3 tries 2
HTH
02-15-2018 01:03 PM
Thanks,
So to be clear
global command
radius-server dead-criteria time 3 tries 2
Wait 2 x 3 seconds before marking Radius Server as dead
Interface command
authentication event server dead action reinitialize vlan X
If Radius server is dead reinitialise the port into vlan X (Could be another VLAN or could be same access VLAN)
authentication event server dead action authorize voice
If Radius server is dead - allow voice vlan
authentication event server alive action reinitialize
When the Radius server comes online - reinitialize authentications
So if I have 2 Radius Servers with the above configuration it would try ISE 1 for 6 seconds and then ISE 2 for 6 seconds and then reinitialize port into specified VLAN
Thanks
03-05-2018 08:43 AM
03-07-2018 08:49 AM
Without "authentication event server alive action reinitialize" the endpoint will stay in critical auth until re-authenticated for some other reason. That command forces re-authentication when RADIUS server becomes available again.
For fail open, I have the following two commands:
authentication event server dead action authorize (if you don't put vlan X at the end here, it will fail-open to whatever vlan is configured on the port)
authentication event server dead action authorize voice
03-07-2018 08:56 AM
03-07-2018 11:03 AM
Absolutely, if a new host was connected to the port then there would be a new authentication event, and if the radius server is up at that point then the request would go to ISE. Or if you have a periodic re-authentication enabled then the old host would get re-authenticated when the timer expires. That command re-authenticates endpoints in critical auth when at least one RADIUS server becomes available.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: