Meraki

Community

ISE server down scenario Network access on Meraki MS

Solved
ZeeBoussaid
Getting noticed
‎Jan 27 2021 11:13 AM
‎Jan 27 2021 11:13 AM

ISE server down scenario Network access on Meraki MS

hello, 

 

we use multiple MS-225 for production and all endpoints are authenticating via ISE. if a machine failed the authentication I created a Vlan500 where it just "sits" there with no valid IP. my question is simple: in case of a catastrophic ISE failure and the radius server is down, how my endpoints can access the network? I know on the cat switches it was easier, if the machine is unable to reach ISE, the port will be open and the machine will connect to the network, in the Meraki MS, if ISE is not reachable, the port will not be opened and like i mentioned the machine will automatically be assigned to Vlan 500. and before you ask if simply to delete the Vlan 500, well I added it to prevent unauthorized non-domain machines from accessing the network on LAN. 

0 Kudos
1 Accepted Solution
ZeeBoussaid
Getting noticed
‎Mar 8 2021 10:24 AM
‎Mar 8 2021 10:24 AM

just an FYI, i installed a new MS225 and blocked its MAC from ISE to replicate that ISE not responding, i had one machine with the applied access polices applied connected to the switch, and once the machine could not authenticate with ISE, the laptop had access to the internet and that's what we wanted. the VLAN 500 is defined in ISE, and since the MS is blocked, the 500 Vlan policy no longer applies. 

View solution in original post

0 Kudos
5 Replies 5
cmr
Kind of a big deal
Kind of a big deal
‎Jan 27 2021 3:06 PM
‎Jan 27 2021 3:06 PM

@ZeeBoussaid I'd give VLAN 500 internet access only, so at least people would have something and you wouldn't be risking the corporate LAN.  Also make sure you have an HA ISE setup so it doesn't completely fail, as you would with DNS and domain controllers etc.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
ZeeBoussaid
Getting noticed
‎Jan 27 2021 4:42 PM
‎Jan 27 2021 4:42 PM

We do have HA in place, I was just trying to be prepared for the worst case scenario where both Radius servers are down for whatever reason. I like to be prepared. Thank you for the advice. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 27 2021 5:48 PM
‎Jan 27 2021 5:48 PM

They can't.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 28 2021 3:16 AM
‎Jan 28 2021 3:16 AM

I think this could be done with the help of the API. A monitoring station checks for RADIUS-functionality on both PSNs. If both are offline you issue an API call to change the port-settings to something useful in that situation.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
ZeeBoussaid
Getting noticed
‎Mar 8 2021 10:24 AM
‎Mar 8 2021 10:24 AM

just an FYI, i installed a new MS225 and blocked its MAC from ISE to replicate that ISE not responding, i had one machine with the applied access polices applied connected to the switch, and once the machine could not authenticate with ISE, the laptop had access to the internet and that's what we wanted. the VLAN 500 is defined in ISE, and since the MS is blocked, the 500 Vlan policy no longer applies. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.