cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
5
Helpful
6
Replies
Beginner

ISE Behaviour if Server down - Fail Open?

I want to understand the switchport or ISE config required that if switch cannot contact ISE server that the authentication fails open 

 

I believe it's called Fail Open, but I want to make sure if the ISE server is unreachable that user still connects to VLAN configured on port 

 

Thanks

 

6 REPLIES 6
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE Behaviour if Server down - Fail Open?

Hi Roger,

 

Try these interface level commands:

 authentication event server dead action reinitialize vlan X
 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 

// You will need the global dead-time criteria set in order to detect a dead AAA server

radius-server dead-criteria time 3 tries 2

 

HTH

Beginner

Re: ISE Behaviour if Server down - Fail Open?

Thanks, 

So to be clear

 

global command 

radius-server dead-criteria time 3 tries 2

 Wait 2 x 3 seconds before marking Radius Server as dead 

 

Interface command  

authentication event server dead action reinitialize vlan X

 If Radius server is dead reinitialise the port into vlan X (Could be another VLAN or could be same access VLAN)


authentication event server dead action authorize voice

 If Radius server is dead - allow voice vlan 

 

authentication event server alive action reinitialize

 When the Radius server comes online - reinitialize authentications 

 

So if I have 2 Radius Servers with the above configuration it would try ISE 1 for 6 seconds and then ISE 2 for 6 seconds and then reinitialize port into specified VLAN 

 

Thanks

 

 

Re: ISE Behaviour if Server down - Fail Open?

Hello Guys,

I got a question on this. If = "authentication event server alive action reinitialize" is not included in switchport configuration what will be the behaviour? Will it not go back to authentication from the ISE until restarted?

Thanks
George
Beginner

Re: ISE Behaviour if Server down - Fail Open?

Without "authentication event server alive action reinitialize" the endpoint will stay in critical auth until re-authenticated for some other reason. That command forces re-authentication when RADIUS server becomes available again.

 

For fail open, I have the following two commands:

authentication event server dead action authorize (if you don't put vlan X at the end here, it will fail-open to whatever vlan is configured on the port)
authentication event server dead action authorize voice

 

Re: ISE Behaviour if Server down - Fail Open?

Thanks for the reply - When you say the endpoint (port) stays in critical auth until re-autentication. The behaviour of the authentication command is this until a new host is connected or after so long a time? Its not so clear in my mind if you can shed some light.

Thanks again
Highlighted
Beginner

Re: ISE Behaviour if Server down - Fail Open?

Absolutely, if a new host was connected to the port then there would be a new authentication event, and if the radius server is up at that point then the request would go to ISE. Or if you have a periodic re-authentication enabled then the old host would get re-authenticated when the timer expires. That command re-authenticates endpoints in critical auth when at least one RADIUS server becomes available.