02-15-2018 11:08 AM - edited 02-21-2020 10:45 AM
I want to understand the switchport or ISE config required that if switch cannot contact ISE server that the authentication fails open
I believe it's called Fail Open, but I want to make sure if the ISE server is unreachable that user still connects to VLAN configured on port
Thanks
02-15-2018 12:35 PM
Hi Roger,
Try these interface level commands:
authentication event server dead action reinitialize vlan X
authentication event server dead action authorize voice
authentication event server alive action reinitialize
// You will need the global dead-time criteria set in order to detect a dead AAA server
radius-server dead-criteria time 3 tries 2
HTH
02-15-2018 01:03 PM
Thanks,
So to be clear
global command
radius-server dead-criteria time 3 tries 2
Wait 2 x 3 seconds before marking Radius Server as dead
Interface command
authentication event server dead action reinitialize vlan X
If Radius server is dead reinitialise the port into vlan X (Could be another VLAN or could be same access VLAN)
authentication event server dead action authorize voice
If Radius server is dead - allow voice vlan
authentication event server alive action reinitialize
When the Radius server comes online - reinitialize authentications
So if I have 2 Radius Servers with the above configuration it would try ISE 1 for 6 seconds and then ISE 2 for 6 seconds and then reinitialize port into specified VLAN
Thanks
03-05-2018 08:43 AM
03-07-2018 08:49 AM
Without "authentication event server alive action reinitialize" the endpoint will stay in critical auth until re-authenticated for some other reason. That command forces re-authentication when RADIUS server becomes available again.
For fail open, I have the following two commands:
authentication event server dead action authorize (if you don't put vlan X at the end here, it will fail-open to whatever vlan is configured on the port)
authentication event server dead action authorize voice
03-07-2018 08:56 AM
03-07-2018 11:03 AM
Absolutely, if a new host was connected to the port then there would be a new authentication event, and if the radius server is up at that point then the request would go to ISE. Or if you have a periodic re-authentication enabled then the old host would get re-authenticated when the timer expires. That command re-authenticates endpoints in critical auth when at least one RADIUS server becomes available.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide