07-24-2013 03:21 AM - edited 03-10-2019 08:41 PM
Hi All,
I want to have idea, how can I configure timer in case both ISE nodes becomes unreachable so that authenticated clients which are already authenticated should remain authenticated till the specified time period. Is this a configurable option ?
Are these commands relevant to above requirement,
radius-server dead-criteria time 5 tries 2
adius-server deadtime 10
Thanks
Solved! Go to Solution.
07-25-2013 03:03 AM
The command sets the reauthetication timer when the session-timeout is handed down for the user session.
I want to understand your business requirement for your scenario? Are you looking to extend a reauthentication timer if all radous servers are dead. If so, the followinf command will authorize a client on a vlan if the servers are dead...thay command is...
Authentication event server dead action authorize vlan xx
The next command will reauthenticate the port when the radius server is alive again.
Authentication event server alive reinitialize.
Sent from Cisco Technical Support Android App
07-25-2013 03:33 AM
Hi,
I understand where you are coming from, there is a feature enhancement request for this scenario where you can bypass the acl when the servers are dead. I can not find the bug id, but once I come across it I will update this thread.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-25-2013 08:43 AM
I checked my notes and could not find the feature request. You may need to open a tac case to see if one can be referenced for you. I know this is an issue that many customers face and outside of some simple eem scripting there isnt a "radius feature" in the ios that will do this for you.
thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2013 07:08 PM
The above commands are used to detect dead radius server. These will not full fill your requirement. I don't think there is any method to do so.
07-24-2013 11:29 PM
Hi,
What about following command on the port level,
Authentication timer reauthentication server
Regards,
07-25-2013 03:03 AM
The command sets the reauthetication timer when the session-timeout is handed down for the user session.
I want to understand your business requirement for your scenario? Are you looking to extend a reauthentication timer if all radous servers are dead. If so, the followinf command will authorize a client on a vlan if the servers are dead...thay command is...
Authentication event server dead action authorize vlan xx
The next command will reauthenticate the port when the radius server is alive again.
Authentication event server alive reinitialize.
Sent from Cisco Technical Support Android App
07-25-2013 03:21 AM
Hi Tarik,
Yes, the requirement is to keep the ports in authentictaed/authorized status for specified time for e.g 4 hours if both ISE nodes are unreachable.
We have these commands on all ports which you mentioned above however we also have following ACL (which is very restrcitive) on all ports,
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.x.x
permit ip any host 172.22.y.y
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
deny ip any any
So the requirement is to keep DACL " ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" on the port if both ISE nodes fails instead of above ACL.
So please advice.
Thanks
07-25-2013 03:33 AM
Hi,
I understand where you are coming from, there is a feature enhancement request for this scenario where you can bypass the acl when the servers are dead. I can not find the bug id, but once I come across it I will update this thread.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-25-2013 03:35 AM
Thanks for the quick response.
I will wait for further information.
07-25-2013 03:40 AM
Also if your scenrio is willing to support eem and tcl scripting you can leverage the test aaa server command, capture the output of all radius servers are dead response and the issue a result where the port based ACL is removed.
Then after you can set another scenario where if the radius server is marked alive after 30 seconds for example you can re-apply the ACL and clear the auth sessions for each of the ports. This will take some effort in testing but is possible.
Once I get the feature request ID your best bet would be to open a TAC case and have your case attached to it.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-25-2013 08:43 AM
I checked my notes and could not find the feature request. You may need to open a tac case to see if one can be referenced for you. I know this is an issue that many customers face and outside of some simple eem scripting there isnt a "radius feature" in the ios that will do this for you.
thanks,
Tarik Admani
*Please rate helpful posts*
08-05-2013 12:28 AM
Hi Tarik,
I came across following command,
radius-server deadtime [minutes]
" Specifies for how many minutes a RADIUS server that is not responding to authentication requests is passed over by requests for RADIUS authentication "
So it can be used to meet above explained requirement ?
Thanks & Regards,
Mujeeb
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: