Solved: PSNs with 2 interfaces for guest authentication

umahar · ‎08-01-2018

We have an ISE Guest cluster with PSNs having 2 interfaces.

One interface receives the radius request and the other interface receives the web redirected traffic.

WLC----internal-network-----PSN---------------router

During failover testing we shut down the router interface.

WLC was still sending radius request to the internal-network interface of PSN because it was still alive. Endpoints when getting redirected to the other interface of the PSN are getting dropped.

Is there a way for PSN to start dropping radius request on one interface if the second interface goes down ?

Cory Peterson · ‎08-01-2018

ISE can't do what you are after, but you could employ another option using IPSLA and an EEM Script.

How you decide to do it may depend if your ISE node is a VM or an Appliance.

ip sla 10
  icmp-echo 10.100.100.2 
  !This IP could be the Guest Interface is traffic permitted
  frequency 10
ip sla schedule 10 life forever start-time now

ip sla reaction-configuration 10 react timeout threshold-type immediate
ip sla enable reaction-alerts
!
track 1 ip sla 10 reachability
  delay down 8 up 10
!
event manager applet TRACK_GUEST_DOWN
 event ipsla operation-id 10 reaction-type timeout
  action 1.0 if $_ipsla_condition eq "Occurred"
  action 1.1 cli command "enable"
  action 1.2 cli command "config t"
  action 1.3 cli command "int vlan 200"
  action 1.4 cli command "ip access-group 100 in"
  action 1.5 syslog msg "GUEST Down - ACL Applied"
  action 1.6 end
event manager applet TRACK_GUEST_UP
 event ipsla operation-id 10 reaction-type timeout
  action 1.0 if $_ipsla_condition ne "Occurred"
  action 1.1 cli command "enable"
  action 1.2 cli command "config t"
  action 1.3 cli command "int vlan 200"
  action 1.4 cli command "no ip access-group 100 in"
  action 1.5 syslog msg "Guest Up - ACL Removed"
  action 1.6 end

This will apply an ACL to an interface to stop all traffic to the ISE interface until the IP comes back up, then it will remove the ACL.

View solution in original post

Cory Peterson · ‎08-01-2018

ISE can't do what you are after, but you could employ another option using IPSLA and an EEM Script.

How you decide to do it may depend if your ISE node is a VM or an Appliance.

ip sla 10
  icmp-echo 10.100.100.2 
  !This IP could be the Guest Interface is traffic permitted
  frequency 10
ip sla schedule 10 life forever start-time now

ip sla reaction-configuration 10 react timeout threshold-type immediate
ip sla enable reaction-alerts
!
track 1 ip sla 10 reachability
  delay down 8 up 10
!
event manager applet TRACK_GUEST_DOWN
 event ipsla operation-id 10 reaction-type timeout
  action 1.0 if $_ipsla_condition eq "Occurred"
  action 1.1 cli command "enable"
  action 1.2 cli command "config t"
  action 1.3 cli command "int vlan 200"
  action 1.4 cli command "ip access-group 100 in"
  action 1.5 syslog msg "GUEST Down - ACL Applied"
  action 1.6 end
event manager applet TRACK_GUEST_UP
 event ipsla operation-id 10 reaction-type timeout
  action 1.0 if $_ipsla_condition ne "Occurred"
  action 1.1 cli command "enable"
  action 1.2 cli command "config t"
  action 1.3 cli command "int vlan 200"
  action 1.4 cli command "no ip access-group 100 in"
  action 1.5 syslog msg "Guest Up - ACL Removed"
  action 1.6 end

This will apply an ACL to an interface to stop all traffic to the ISE interface until the IP comes back up, then it will remove the ACL.

hslai · ‎08-05-2018

See also PSNs with 2 interfaces for guest authen... (by umahar on 07-31-2018 12:47 PM)