08-01-2018 11:41 AM
We have an ISE Guest cluster with PSNs having 2 interfaces.
One interface receives the radius request and the other interface receives the web redirected traffic.
WLC----internal-network-----PSN---------------router
During failover testing we shut down the router interface.
WLC was still sending radius request to the internal-network interface of PSN because it was still alive. Endpoints when getting redirected to the other interface of the PSN are getting dropped.
Is there a way for PSN to start dropping radius request on one interface if the second interface goes down ?
Solved! Go to Solution.
08-01-2018 04:14 PM - edited 08-01-2018 04:14 PM
ISE can't do what you are after, but you could employ another option using IPSLA and an EEM Script.
How you decide to do it may depend if your ISE node is a VM or an Appliance.
ip sla 10 icmp-echo 10.100.100.2
!This IP could be the Guest Interface is traffic permitted frequency 10 ip sla schedule 10 life forever start-time now ip sla reaction-configuration 10 react timeout threshold-type immediate ip sla enable reaction-alerts ! track 1 ip sla 10 reachability delay down 8 up 10 ! event manager applet TRACK_GUEST_DOWN event ipsla operation-id 10 reaction-type timeout action 1.0 if $_ipsla_condition eq "Occurred" action 1.1 cli command "enable" action 1.2 cli command "config t" action 1.3 cli command "int vlan 200" action 1.4 cli command "ip access-group 100 in" action 1.5 syslog msg "GUEST Down - ACL Applied" action 1.6 end event manager applet TRACK_GUEST_UP event ipsla operation-id 10 reaction-type timeout action 1.0 if $_ipsla_condition ne "Occurred" action 1.1 cli command "enable" action 1.2 cli command "config t" action 1.3 cli command "int vlan 200" action 1.4 cli command "no ip access-group 100 in" action 1.5 syslog msg "Guest Up - ACL Removed" action 1.6 end
This will apply an ACL to an interface to stop all traffic to the ISE interface until the IP comes back up, then it will remove the ACL.
08-01-2018 04:14 PM - edited 08-01-2018 04:14 PM
ISE can't do what you are after, but you could employ another option using IPSLA and an EEM Script.
How you decide to do it may depend if your ISE node is a VM or an Appliance.
ip sla 10 icmp-echo 10.100.100.2
!This IP could be the Guest Interface is traffic permitted frequency 10 ip sla schedule 10 life forever start-time now ip sla reaction-configuration 10 react timeout threshold-type immediate ip sla enable reaction-alerts ! track 1 ip sla 10 reachability delay down 8 up 10 ! event manager applet TRACK_GUEST_DOWN event ipsla operation-id 10 reaction-type timeout action 1.0 if $_ipsla_condition eq "Occurred" action 1.1 cli command "enable" action 1.2 cli command "config t" action 1.3 cli command "int vlan 200" action 1.4 cli command "ip access-group 100 in" action 1.5 syslog msg "GUEST Down - ACL Applied" action 1.6 end event manager applet TRACK_GUEST_UP event ipsla operation-id 10 reaction-type timeout action 1.0 if $_ipsla_condition ne "Occurred" action 1.1 cli command "enable" action 1.2 cli command "config t" action 1.3 cli command "int vlan 200" action 1.4 cli command "no ip access-group 100 in" action 1.5 syslog msg "Guest Up - ACL Removed" action 1.6 end
This will apply an ACL to an interface to stop all traffic to the ISE interface until the IP comes back up, then it will remove the ACL.
08-05-2018 08:24 PM
See also PSNs with 2 interfaces for guest authen... (by umahar on 07-31-2018 12:47 PM)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide