Re: ISE Behaviour if Server down - Fail Open?

roger perkin · ‎02-15-2018

I want to understand the switchport or ISE config required that if switch cannot contact ISE server that the authentication fails open

I believe it's called Fail Open, but I want to make sure if the ISE server is unreachable that user still connects to VLAN configured on port

Thanks

Rob Ingram · ‎02-15-2018

Hi Roger,

Try these interface level commands:

authentication event server dead action reinitialize vlan X
authentication event server dead action authorize voice

authentication event server alive action reinitialize

// You will need the global dead-time criteria set in order to detect a dead AAA server

radius-server dead-criteria time 3 tries 2

HTH

roger perkin · ‎02-15-2018

Thanks,

So to be clear

global command

radius-server dead-criteria time 3 tries 2

Wait 2 x 3 seconds before marking Radius Server as dead

Interface command

authentication event server dead action reinitialize vlan X

If Radius server is dead reinitialise the port into vlan X (Could be another VLAN or could be same access VLAN)

authentication event server dead action authorize voice

If Radius server is dead - allow voice vlan

authentication event server alive action reinitialize

When the Radius server comes online - reinitialize authentications

So if I have 2 Radius Servers with the above configuration it would try ISE 1 for 6 seconds and then ISE 2 for 6 seconds and then reinitialize port into specified VLAN

Thanks

georgehewittuk1 · ‎03-05-2018

Hello Guys,

I got a question on this. If = "authentication event server alive action reinitialize" is not included in switchport configuration what will be the behaviour? Will it not go back to authentication from the ISE until restarted?

Thanks
George

agrissimanis · ‎03-07-2018

Without "authentication event server alive action reinitialize" the endpoint will stay in critical auth until re-authenticated for some other reason. That command forces re-authentication when RADIUS server becomes available again.

For fail open, I have the following two commands:

authentication event server dead action authorize (if you don't put vlan X at the end here, it will fail-open to whatever vlan is configured on the port)
authentication event server dead action authorize voice

georgehewittuk1 · ‎03-07-2018

Thanks for the reply - When you say the endpoint (port) stays in critical auth until re-autentication. The behaviour of the authentication command is this until a new host is connected or after so long a time? Its not so clear in my mind if you can shed some light.

Thanks again

agrissimanis · ‎03-07-2018

Absolutely, if a new host was connected to the port then there would be a new authentication event, and if the radius server is up at that point then the request would go to ISE. Or if you have a periodic re-authentication enabled then the old host would get re-authenticated when the timer expires. That command re-authenticates endpoints in critical auth when at least one RADIUS server becomes available.