Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Site Survivability

Use Access Assurance Site Survivability (NAC Edge) to ensure that users and devices can authenticate locally even when the site’s WAN link to the Mist Access Assurance cloud is down.

Site Survivability Overview

Mist Access Assurance is a cloud-based solution that ensures high availability for authentication services. However, there are situations where sites need to continue authenticating users and devices even if their WAN links are down. Access Assurance Site Survivability (NAC Edge) addresses this requirement by providing on-site continuity, ensuring that users and devices can continue to securely connect to the network.

In Site Survivability mode, a lightweight Access Assurance service (NAC Edge service) runs on the on-premises Mist Edge appliance(s). This service processes RADIUS over TLS (RadSec) requests by using a secure local cache of previously authenticated clients. Mist access points (APs) and switches establish a secondary RadSec tunnel to the local Mist Edge, while third-party clients connect to the same Mist Edge acting as a RADIUS server. If the WAN connection is disrupted, the proxy service automatically fails over to the NAC Edge service running on the local Mist Edge, ensuring continuous authentication services. When the WAN connection is restored, authentication traffic seamlessly transitions back to the cloud-based Access Assurance.

How Site Survivability Works

Here's a high-level overview of how Site Survivability works:

  • Normal Operation (WAN link is up):

    • APs, switches, and Mist Edges establish a RadSec tunnel to the cloud Network Access Control (NAC).

    • The cloud NAC processes the client authentication requests through this RadSec tunnel.

    • The site-level Mist Edge’s NAC Edge service synchronizes a local cache of recently authenticated clients and configured server certificates from the cloud at regular intervals (every 30 minutes ). Note that the NAC Edge RADIUS service serves client authentication requests only when the Access Assurance cloud is unreachable from the Mist Edge.

  • Outage (WAN link is down):

    • When connectivity to the cloud NAC is lost, network devices automatically switch over to the NAC Edge, which is configured as the backup RadSec server.

    • The NAC Edge validates client certificates (for EAP-TLS) using your trusted Organization Certificate Authority (CA), checks the local cache for the client, and provides the cached authorization attributes, such as VLAN information.

    • Clients not found in the cache are assigned to a customer-defined default VLAN.

  • Recovery (WAN link is restored):

    • Devices switch back to the cloud NAC based on their built-in failback behavior.

    • Mist Edge re-establishes primary RadSec sessions.

    • Client authentication requests are processed by the cloud NAC.

What's Supported in Site Survivability Mode

  • Authentication methods (when the WAN link is down):

    802.1X EAP‑TLS and MAC Authentication Bypass (MAB) using cached entries

  • Authorization:

    • The system returns cached attributes for recognized clients, such as VLAN and RADIUS AVPs.

    • For unknown MAB clients, customer configured default VLAN is used in case of cache misses.

    • For 802.1X clients that have successfully passed EAP-TLS validation but are not recognized, the default VLAN is used in case of cache misses.

  • Cache behavior:

    • Configurable Time-To-Live (TTL) ranging from 1 to 30 days, with a default setting of 7 days

    • Persistent cache even across Edge device restarts

    • Automatic cleanup of client entries once the TTL expires

What's Not Supported in Site Survivability Mode

When the WAN link is down, NAC Edge relies solely on the local cached information and cannot connect to external systems. This means

  • EAP-TTLS and Device-Auth authentication are not supported. For example, password-based authentication is not supported.

  • External Identity Providers (IdPs) are unavailable, so no cloud directory or IdP lookups occur.

  • MDM provider-based policies cannot be enforced.

  • Real-time cloud policy evaluations are not possible.

  • New devices without cache entries cannot obtain dynamic policies and are assigned the default VLAN you have configured.

Configure Site Survivability Settings

Site Survivability is enabled at the site level. The following requirements must be met for implementing Mist Access Assurance Site Survivability:

  • A Mist Access Assurance Site Survivability subscription (S-CLIENT-SS-1/3/5) is necessary.

  • At least one Mist Edge should be assigned to the site.

  • Endpoints (laptops, mobiles and IoT devices) should be authenticated and authorized into your corporate network.

To configure Access Assurance Site Survivability:

Note: Ensure that you have uploaded the following certificates:

  • Organization CA certificate (used to validate EAP‑TLS client certificates)

  • Server certificate and key for the local RadSec listener
  1. Click Organization > Site Configuration to go to the list of sites.
  2. Click the site in which you want to configure Access Assurance site survivability.
    The site page is displayed.
  3. Scroll down to Access Assurance Site Survivability tile.
  4. Select the Enabled check box on the Access Assurance Site Survivability tile.
  5. Configure the settings as described below:

    • Caching Period—Enter the number of days (1 to 30) for which a cache of each NAC client should be maintained. The default is 7 days.

    • Default MAB VLAN—Enter the VLAN ID or VLAN Name of the VLAN for unknown MAB clients.

    • Default 802.1X VLAN—Enter the VLAN ID or name of the VLAN for unknown 802.1X clients that pass EAP-TLS authentication.

    • Mist Edge IPs—Enter the OOBM IP address(es) of the Mist Edge(s) acting in the site survivability mode.

  6. Save the site configuration by clicking Save on the upper right of the page.