Security

Reply
Frequent Contributor II
Posts: 478
Registered: ‎03-15-2014

Clearpass went down and all users wasn't able to login what is the solvent?

I have Cisco Wired switches 2960 integrated with Clearpass and we are using 802.1x and mac authentication now suddenlhy clearpass went down cause of power outage and all useres wasnt able to log into the network so what is the best solution to make things work when clearpass fail.

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: Clearpass went down and all users wasn't able to login what is the solvent?

MVP
Posts: 4,235
Registered: ‎07-20-2011

Re: Clearpass went down and all users wasn't able to login what is the solvent?

Best practice is to have ClearPass server redundancy .

This is from the Cisco Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387266

"When the authentication server is unavailable, 802.1X fails and all endpoints are denied access by default. In a highly available enterprise campus environment, it is reasonable to expect that a switch is always able to communicate with the authentication server, so the default behavior may be perfectly acceptable. However, there may be some use cases, such as a branch office with occasional WAN outages, where the switch cannot reach the authentication server, but endpoints should be allowed access to the network.
If the switch already knows that the authentication server has failed, either through periodic probe or as the result of a previous authentication attempt, a port can be deployed in a configurable VLAN (sometimes called the critical VLAN) as soon as the link comes up. Because the switch has multiple mechanisms for learning that the AAA server has failed, this outcome is the most likely. If the switch determines that the authentication server has failed during an 802.1X or MAB authentication (for example, if this is the first endpoint to connect to the switch after connectivity to the authentication server has been lost), the port is moved to the critical VLAN after the authentication times out. Previously authenticated endpoints are not affected in any way; if a re-authentication timer expires when the authentication server is down, the re-authentication is deferred until the switch determines that the authentication server has returned.
The critical VLAN can be any VLAN except the voice VLAN. If no VLAN is specified, the port fails open into the switch data VLAN."


Another option that is not very secure is to create a backup script to disable MAB under each interface using the interface range but that is a security risk since you will allowing any device to connect.



Sent from Outlook Mobile
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: