Server Dead Scenario in Cisco ISE

Sample Switch end configuration of server dead scenario:
Interface GigabitEthernet0/2
 authentication event server dead action authorize vlan 100
 authentication event server alive action reinitialize
!
username RADIUS password RADIUSTEST
!
aaa group server radius ISE_LAB
 server-private 10.10.10.20 auth-port 1812 acct-port 1813 test username RADIUS key cisco
!
radius-server dead-criteria time 5 tries 2
radius-server deadtime 2
!

• Server Dead Scenario is a scenario whereby the Policy Service Node (PSN) or nodes are not reachable.
• In an ISE deployment, if a network access device says that RADIUS server is dead, that is an indication that the policy service persona is not available or not responding.
• Depending on the deployment type, the policy service persona might be running on a dedicated node or might be coexisting with other personas.
• An ISE deployment can contain up to maximum of 50 instances of policy service persona depending
• on the deployment type.
• While server dead might be an unlikely scenario in a well-designed distributed deployment. It is still important to know how to plan for it.

'authentication event server dead action authorize vlan 100', is telling the switch that if no
RADIUS server can be reached, assign the device requesting authentication to VLAN 100, that is to say, VLAN 100 is the critical VLAN.
The VLAN can be the same VLAN that the switch port is originally assigned to, or another VLAN.
In a multinode deployment, critical VLAN will be assigned only if all the RADIUS servers known to the switch are dead.
'authentication event server alive action reinitialize', is telling the switch that, if the RADIUS server
that was initially dead later comes back online, reinitialize authentication.

• Therefore, the connected devices that were previously assigned to critical VLAN because they could
• not be authenticated due to server dead issue, will be reauthenticated now that the RADIUS server is alive.
• They would then be assigned appropriate authorization as defined by the RADIUS server.
• They will no longer be using local authorization such as critical VLAN assignment.
• The server-private command includes 'test' keyword along with a user account that will be used for automatic RADIUS server test.
• If the RADIUS server 10.10.10.20 is declared dead, depending on the configured deadtime, the switch will start sending test RADIUS packets to the RADIUS server to check if it is still dead or back online.
• This test will continue at regular intervals until the RADIUS server is back online.
• The RADIUS server dead criteria command is a dead server detection feature that allows you to configure the criteria to be used to mark the RADIUS server as dead.
• Configuring the dead criteria with time criterion of 5 seconds and tries criterion of 2 indicates that if a valid response is not received from the RADIUS server after 5 seconds, the request will be timed out and retransmitted two more times, after which if no response is received, the network access device will declare the RADIUS server dead.
• RADIUS server deadtime is used to configure the interval at which RADIUS test packets are sent to the RADIUS server to check it's status.
• After the RADIUS server is declared dead, test RADIUS packets will be sent to the RADIUS server every 2 minutes, to check if it's still dead or not.
• Let's asume that after devices A, B, and C have been authenticated and granted appropriate network
• access, ISE becomes unreachable.
• The switch will not know that ISE is unreachable unless there's a new request for authentication.
• For example, if a new device connects to the switch or there's a network reset on any of the previously authenticated hosts.
• When the switch receives EAP packet from a connected host, the switch will send a RADIUS access-request packet to the RADIUS server, and if no response is received, the switch will retransmit the packet two more times, and then declare the RADIUS server as dead if no response is received.
• After the RADIUS server has been declared dead, hosts that have been authenticated before then will still maintain their assigned authorization, but new authentication requests will fail, and server dead action will kick-in.
• In this case, the server dead action is set to authorize VLAN 100.
• Therefore, the host requesting authentication will be assigned to VLAN 100.
• The moment the RADIUS server is declared dead, automatic testing of the RADIUS server will also kick into action and the switch will start sending test RADIUS packets to the RADIUS server at two minutes interval, to check if the RADIUS server is still dead or alive.
• The automated test will stop only when the RADIUS server is marked as alive.

Server Dead scenario in Phased Deployment mode