Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ISE server down scenario Network access on Meraki MS

Solved
ZeeBoussaid
Getting noticed
‎Jan 27 2021 11:13 AM
‎Jan 27 2021 11:13 AM

ISE server down scenario Network access on Meraki MS

hello, 

 

we use multiple MS-225 for production and all endpoints are authenticating via ISE. if a machine failed the authentication I created a Vlan500 where it just "sits" there with no valid IP. my question is simple: in case of a catastrophic ISE failure and the radius server is down, how my endpoints can access the network? I know on the cat switches it was easier, if the machine is unable to reach ISE, the port will be open and the machine will connect to the network, in the Meraki MS, if ISE is not reachable, the port will not be opened and like i mentioned the machine will automatically be assigned to Vlan 500. and before you ask if simply to delete the Vlan 500, well I added it to prevent unauthorized non-domain machines from accessing the network on LAN. 

0 Kudos
Subscribe
1 Accepted Solution
ZeeBoussaid
Getting noticed
‎Mar 8 2021 10:24 AM
‎Mar 8 2021 10:24 AM

just an FYI, i installed a new MS225 and blocked its MAC from ISE to replicate that ISE not responding, i had one machine with the applied access polices applied connected to the switch, and once the machine could not authenticate with ISE, the laptop had access to the internet and that's what we wanted. the VLAN 500 is defined in ISE, and since the MS is blocked, the 500 Vlan policy no longer applies. 

View solution in original post

0 Kudos
Subscribe
5 Replies 5
cmr
Kind of a big deal
Kind of a big deal
‎Jan 27 2021 3:06 PM
‎Jan 27 2021 3:06 PM

@ZeeBoussaid I'd give VLAN 500 internet access only, so at least people would have something and you wouldn't be risking the corporate LAN.  Also make sure you have an HA ISE setup so it doesn't completely fail, as you would with DNS and domain controllers etc.

Subscribe
In response to cmr
ZeeBoussaid
Getting noticed
‎Jan 27 2021 4:42 PM
‎Jan 27 2021 4:42 PM

We do have HA in place, I was just trying to be prepared for the worst case scenario where both Radius servers are down for whatever reason. I like to be prepared. Thank you for the advice. 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 27 2021 5:48 PM
‎Jan 27 2021 5:48 PM

They can't.

0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 28 2021 3:16 AM
‎Jan 28 2021 3:16 AM

I think this could be done with the help of the API. A monitoring station checks for RADIUS-functionality on both PSNs. If both are offline you issue an API call to change the port-settings to something useful in that situation.

0 Kudos
Subscribe
ZeeBoussaid
Getting noticed
‎Mar 8 2021 10:24 AM
‎Mar 8 2021 10:24 AM

just an FYI, i installed a new MS225 and blocked its MAC from ISE to replicate that ISE not responding, i had one machine with the applied access polices applied connected to the switch, and once the machine could not authenticate with ISE, the laptop had access to the internet and that's what we wanted. the VLAN 500 is defined in ISE, and since the MS is blocked, the 500 Vlan policy no longer applies. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.