cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1023
Views
0
Helpful
2
Replies

Local connectivity when ISE is not reachable from branch office and SW is using LanLite image

Good afternoon,

 

I'm experiencing a problem with my branch offices (with LANLite catalyst SW) when ISE (located on our DC) is not reachable due to a WAN failure. People on branch office cannot access local resources when the ISE is marked as dead from the SW point of view.

 

I know that with lanbase switches, the following commands can be used to authorize users when ISE is not reachable:

 

authentication event server dead action authorize vlan vlan-id
authentication event server dead action authorize voice

 

But seems that those commands are not available on LANLITE Switches, I have the following questions:

 

1. What happens when the SW detects that ISE is not reachable, are the users still able to access local resources until they restart/reauth their machine or the switchport is restarted? Or will the switch try to reauth all ports and users will be kicked out immediately?

 

2. Is there any set of commands or workaround on my LANLITE switches that can be applied, so when a WAN failure happens on the branch office they can still use local resources. (We manage all switches from our HQ, so doing configuration changes on the SW is not possible when issue happens).

 

3. Is there any LANLITE version where the commands related to "authentication event server..." are supported, or it is not supported as some other features do to hardware limitations?

 

Thanks in advance for your replies.

 

2 Replies 2

I can answer the first question only. If you are using closed mode or low
impact mode then yes, anything not allowed explicitly will be blocked
including LAN access to the network.

I don't experience with LANLITE switches to answer remaining questions

Thank you for your answer Mohammed.

 

For testing purposes we did a quick setup:

 

We added a LANLITE SW to our ISE deployment, then we connected two workstations and allowed access via MAB. We started a ping between the machines that were sucessfully authenticated. Then in order to simulate a failure in the WAN link, we shutdown the trunk port until the PSN's (3) were dead using the "show aaa servers" command. At that point we still had local connectivity.

 

So i conclude that if host are previously authenticated on ISE, when the SW - ISE communication is lost, they can continue communicating locally (One of my questions) and the SW does not perform a reauth of all ports, once it sees PSN's are not reachable. Needless to say that if we restart the machine or switchport as there is no connectivity to ISE, the auth fails and all connectivity is lost.

 

We will test with our production environment on Friday and see how it goes. On the meantime if anyone knows what can be done with LANLITE switches to keep local connectivity, once ISE PSN's are not reachable, that would be awesome as the "authentication event server dead action" is not available.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: