https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156150#M137365 <P>Hi guys<BR /><BR /> I am going to write a short story and will try to explain the problem I have.<BR /><BR />Here is my setup. I have two ISE servers running I. Primary and secondary mode. Ise1 and ise2. Everything is configured and sync is complete. My access switch is a 2960 which has dot1x enabled and radius defined in the Config. It's using ISE 1 as primary and ise2 as secondary point of authentication. There are phones connected to switch and PCM behind the phone.<BR /><BR />The phones and pc authenticate using EAP-TLS which works fines when both servers are up and running. Printers use mab and video end points use EAP-PEAP. All good till here.<BR /><BR />When I shut down my primary server , phones printers and video endpoints authenticate without any problem. Pc is having issue and I am getting error message saying EAP timeout after120 seconds.<BR /><BR />Today just to test that ise servers are configured properly. I removed the primary server from 2960 Config. Now switch has only one radius server listed for authentication. Which is ISE 2. The authentication works fine. All of them. Then I shut down ise1 just for the sake of it. At this step I have ise2 running and 2960 switch has only one radius configured. Everything works fine here.<BR /><BR />The minute I add ISE 1 as primary radius server pc authentication fails and I get EAP time out message.<BR /><BR />Looks like I have to tweak some configuration on 2960 so that it failover to backup ISE ASAP. Has anyone seen that ?<BR /><BR />Thanks.<BR /><BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P> Mon, 11 Mar 2019 03:19:21 GMT Amit Singh2000 2019-03-11T03:19:21Z https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156150#M137365 <P>Hi guys<BR /><BR /> I am going to write a short story and will try to explain the problem I have.<BR /><BR />Here is my setup. I have two ISE servers running I. Primary and secondary mode. Ise1 and ise2. Everything is configured and sync is complete. My access switch is a 2960 which has dot1x enabled and radius defined in the Config. It's using ISE 1 as primary and ise2 as secondary point of authentication. There are phones connected to switch and PCM behind the phone.<BR /><BR />The phones and pc authenticate using EAP-TLS which works fines when both servers are up and running. Printers use mab and video end points use EAP-PEAP. All good till here.<BR /><BR />When I shut down my primary server , phones printers and video endpoints authenticate without any problem. Pc is having issue and I am getting error message saying EAP timeout after120 seconds.<BR /><BR />Today just to test that ise servers are configured properly. I removed the primary server from 2960 Config. Now switch has only one radius server listed for authentication. Which is ISE 2. The authentication works fine. All of them. Then I shut down ise1 just for the sake of it. At this step I have ise2 running and 2960 switch has only one radius configured. Everything works fine here.<BR /><BR />The minute I add ISE 1 as primary radius server pc authentication fails and I get EAP time out message.<BR /><BR />Looks like I have to tweak some configuration on 2960 so that it failover to backup ISE ASAP. Has anyone seen that ?<BR /><BR />Thanks.<BR /><BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P> Mon, 11 Mar 2019 03:19:21 GMT https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156150#M137365 Amit Singh2000 2019-03-11T03:19:21Z https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156151#M137376 <HTML><HEAD></HEAD><BODY><P>If you have the radius-server commands put in, the switch should just rotate through the servers if they're not available. But, there are radius server groups and the traditional radius-server host commands. Could just be something was overlooked.</P><P></P><P>But, this does seem to be a problem with switch configuration. Can you provide the config of the 2960?</P></BODY></HTML> Wed, 17 Apr 2013 13:52:07 GMT https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156151#M137376 Ryan Wolfe 2013-04-17T13:52:07Z https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156152#M137395 <HTML><HEAD></HEAD><BODY><P>Do you have the following lines in your config?</P><P></P><P>radius-server dead-criteria time 5 tries 3</P><P>radius-server host <SERVER> auth-port 1812 acct-port 1813 test username radius-test key 7 <HASH></HASH></SERVER></P><P>radius-server host <SERVER> auth-port 1812 acct-port 1813 test username radius-test key 7 <HASH></HASH></SERVER></P><P></P><P>I could see a situation where you have the aaa server group configured, but not this, and your switch failed to identify the primary RADIUS server as down, forcing the issue of manual removal.</P></BODY></HTML> Wed, 17 Apr 2013 14:41:48 GMT https://community.cisco.com/t5/network-access-control/ise1-1-3-failover-problems/m-p/2156152#M137395 ryan.lambert 2013-04-17T14:41:48Z