Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Node Failure & Pre-Auth ACL

Hi All,

I would like to know that, what should be the best practice configuration for following points,

1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.

2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?

Here is the port configuration and pre-auth ACL which I am using in my network,

Interface Fa0/1

switchport access vlan 30

switchport mode access

switchport voice vlan 40

ip access-group ISE-ACL-DEFAULT in

authentication event fail action authorize vlan 30

authentication event server dead action authorize vlan 30

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation protect

mab

  dot1x pae authenticator

dot1x timeout tx-period 5

*****************************************

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.35.11

permit ip any host 172.22.35.12

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Deny All

deny   ip any any log

Thanks & Regards,

Mujeeb

3 ACCEPTED SOLUTIONS

Accepted Solutions

ISE Node Failure & Pre-Auth ACL

Hello

About question 1,  since you're using  "authentication host-mode multi-domain" then "authentication event server dead action authorize vlan X" is the way to go.

But if you are using "authentication host-mode multi-auth" then you should use "authentication event server dead action reinitialize vlan X"

About question 2 it's not mandatory to use pre-auth ACL. My current deployment have IP phones , since I use radius profiling and CDP then ISE can detect and authorize the IP phones even though the switch blocks all packets. That' why I don't need pre-auth ACLs.

Please rate if this helps.

Cisco Employee

ISE Node Failure & Pre-Auth ACL

See replies inline:

authentication event fail action authorize vlan 30----> What would be the behaviour due to this command ?

If the supplicant fails authentication, the port is  moved to a restricted VLAN, and an EAP success message is sent to the  supplicant because it is not notified of the actual authentication  failure. If the EAP success message is not sent, the supplicant tries to  authenticate every 60 seconds (the default) by sending an EAP-start  message.

authentication event server dead action authorize  vlan 30 ---> So in case if ISE nodes are unavailable then this port  will be in VLAN 30 which is the actual VLAN ?

The above  command is used to configure a port to send both new and existing hosts  to the critical VLAN when the RADIUS server is unavailable. Use this  command for ports in multiple authentication (multiauth) mode or if the  voice domain of the port is in MDA mode.

authentication event server alive action reinitialize  ---> This command will re-initialize the authentication process if  ISE nodes becomes available ?

This can be used to  reinitialize an authorized Auth Manager session when a previously  unreachable authentication, authorization, and accounting server becomes  available.

Hope it helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

ISE Node Failure & Pre-Auth ACL

I guess you wanted to talk about this command

authentication event server dead action authorize  vlan 30

However, you mentioned the below mentioned command in you last post

authentication event fail action authorize vlan 30

If you've not configured critical vlan then you can remove this command:

authentication event server dead action authorize  vlan 30 because this actually enables the critical auth (aka inaccessible AuthenticationBypass) feature on the port. With this feature enabled, If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the "Critical VLAN") that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
12 REPLIES
VIP Purple

Re: ISE Node Failure & Pre-Auth ACL

1) for that you have a "critical auth vlan" that you can assign in case that no RADIUS-server is available. You already have that in your config.

authentication event server dead action authorize vlan XXX

2) My default-acl is typically not that permissive as yours:

ip access-list extended PORT-DEFAULT-ACL

  ! allow DHCP

  permit udp any eq bootpc any bootps

  ! allow dns to DNS-server

  permit udp any host 10.10.10.1 eq 53

  permit udp any host 10.10.10.2 eq 53

  ! PING is fine

  permit icmp any any echo

  ! PXE is ok

  permit udp any any eq tftp

with your ACL, an unauthenticated user already has full access to your domain-controller which is far too much in my opinion.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Hello Karsten,please, in your

Hello Karsten,

please, in your enviroment, without the access to domain controller before authentication, what happens when an user try to access a computer for first time?

Do you use Anyconnect NAM as supplicant?

 

Regards.

ISE Node Failure & Pre-Auth ACL

Hello

About question 1,  since you're using  "authentication host-mode multi-domain" then "authentication event server dead action authorize vlan X" is the way to go.

But if you are using "authentication host-mode multi-auth" then you should use "authentication event server dead action reinitialize vlan X"

About question 2 it's not mandatory to use pre-auth ACL. My current deployment have IP phones , since I use radius profiling and CDP then ISE can detect and authorize the IP phones even though the switch blocks all packets. That' why I don't need pre-auth ACLs.

Please rate if this helps.

New Member

ISE Node Failure & Pre-Auth ACL

Hi,

I am using following configuration on the ports,

Interface Fa0/1

switchport access vlan 30

switchport mode access

switchport voice vlan 40

ip access-group ISE-ACL-DEFAULT in

authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?

authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?

authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation protect

mab

  dot1x pae authenticator

dot1x timeout tx-period 5

Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.35.11

permit ip any host 172.22.35.12

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Deny All

deny   ip any any log

Thanks

Cisco Employee

ISE Node Failure & Pre-Auth ACL

See replies inline:

authentication event fail action authorize vlan 30----> What would be the behaviour due to this command ?

If the supplicant fails authentication, the port is  moved to a restricted VLAN, and an EAP success message is sent to the  supplicant because it is not notified of the actual authentication  failure. If the EAP success message is not sent, the supplicant tries to  authenticate every 60 seconds (the default) by sending an EAP-start  message.

authentication event server dead action authorize  vlan 30 ---> So in case if ISE nodes are unavailable then this port  will be in VLAN 30 which is the actual VLAN ?

The above  command is used to configure a port to send both new and existing hosts  to the critical VLAN when the RADIUS server is unavailable. Use this  command for ports in multiple authentication (multiauth) mode or if the  voice domain of the port is in MDA mode.

authentication event server alive action reinitialize  ---> This command will re-initialize the authentication process if  ISE nodes becomes available ?

This can be used to  reinitialize an authorized Auth Manager session when a previously  unreachable authentication, authorization, and accounting server becomes  available.

Hope it helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ISE Node Failure & Pre-Auth ACL

Hi,

So I should remove following command from ports as we don't have critical VLAN in our setup ?

authentication event fail action authorize vlan 30

Kindly note that vlan 30 is the actual data vlan.

**********************

For the "authentication event fail action authorize vlan 30" command port will have vlan 30 if ISE node become unreachable but we have following ACL on all ports so users will get very limited access,

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.35.11

permit ip any host 172.22.35.12

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Deny All

deny ip any any log

So, should I modify this ACL or completely remove ?

Thanks & Regards,

Mujeeb

New Member

ISE Node Failure & Pre-Auth ACL

Dear All,

Kindly guide on the queries which I posted in the latest response.

Thanks

Cisco Employee

ISE Node Failure & Pre-Auth ACL

I guess you wanted to talk about this command

authentication event server dead action authorize  vlan 30

However, you mentioned the below mentioned command in you last post

authentication event fail action authorize vlan 30

If you've not configured critical vlan then you can remove this command:

authentication event server dead action authorize  vlan 30 because this actually enables the critical auth (aka inaccessible AuthenticationBypass) feature on the port. With this feature enabled, If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the "Critical VLAN") that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

Hello there,I got the same

Hello there,
I got the same doubt.
I can use authentication event server dead action authorize vlan XX, but If I am using pre authentication ACL the access will be limited, isn't it?
Regards.

 

New Member

 Absolutely! Such a

 

Absolutely! Such a disappointing solution. You'll notice this question is skirted around. You can use EEM scripts to add lines to the pre auth acl but it really feels like a bodge. Obviously you'll have to remove these lines too.  Feature request needed to be able to specify an acl which will be applied when critical vlan is applied. Cisco need to start listening and start thinking.

 

 

 

 

New Member

Hello, We have an issue with

Hello,

 

We have an issue with the "authentication event server alive action reinitialize".

- The critical auth (if server dead) works fine > the users move to vlan 43

-  authentication event server alive action reinitialize: when the ISE is back to alive, the 802.1X process is reinitialized, the users get their Vlan and Dacl (dynamic vlan et acl). The problem is that it seems they dont make an IP DHCP request, and they cant communicate in their Vlan - if we unplug/plug cable (or shut/no shut) the port, the process works fine, and they get an ip address.

 

interface FastEthernet0/12

 description Port-NAC
 switchport access vlan 43
 switchport mode access
 authentication event fail action next-method
 authentication event server dead action authorize vlan 43
 authentication event server alive action reinitialize
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation replace
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout quiet-period 5
 dot1x timeout tx-period 2
 dot1x timeout supp-timeout 2
 dot1x max-req 1
 macro description Port-NAC
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

Port with DEAD server > see the screenshot

Reintialize > see the screenshot / we will notice the Vlan and Dacl are OK / but no IP ADDRESS.

 

If you have an idea...

 

Thanks 

 

 

Silver

It is not a big risk if the

It is not a big risk if the default port ACL seems too permissive as long as you make sure ISE authorization rules assign a proper dynamic ACL by all means.

3048
Views
15
Helpful
12
Replies