Cisco :: EEM Scripts for ISE Low Impact Mode

In this video, we take a look at how EEM scripts can be utilized alongside Low Impact mode to enable ports to fail open.

Below are EEM Scripts that can be reused and modified for your environment.

Note: For single RADIUS Servers use the “%RADIUS-4-RADIUS_DEAD” syslog pattern and for a group of RADIUS servers use the “%RADIUS-3- ALLDEADSERVER” syslog pattern.

If your devices utilize command authorization then you need to ensure that the script can still run in the event of a failure. Enter the following command at the end of each applet to ensure command authorization is bypassed.

authorization bypass

Example:
event manager applet pre-auth-acl-fallback authorization bypass

event manager applet pre-auth-acl-recovery authorization bypass 
event manager applet pre-auth-acl-fallback
event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended PRE-AUTH-EEM"
action 3.0 cli command "1 permit ip any any"
action 4.0 cli command "end"

event manager applet pre-auth-acl-recovery
event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended PRE-AUTH-EEM"
action 3.0 cli command "no 1 permit ip any any"
action 4.0 cli command "end" 

EEM Best Practices: https://community.cisco.com/t5/networking-documents/cisco-eem-best-practices/ta-p/3127596

#Cisco #ISE #EEM #EEMScripts #CiscoISE #ISELowImpactMode #LabEveryday #IdentityServicesEngine #EmbeddedEventManager #NetworkWiizkiid #EmbeddedEventManagerScripts

0 views

©2020 by Network Wizkid