Cisco ISE Guest 2 node deployment

saxenanitesh8522 — Mon, 11 Mar 2019 07:27:18 GMT

Hi Everyone,

I want to run guest services with 2 node deployment of ISE 2.1.

We don't have load balancer for getting a VIP for the ise

what are the options we do can so we have a high availability of the guest services?

Scenario 1:-

I have read blogs about deploying 2 portal pages redirecting based on the host name of the ISE where the request comes

Scenario 2:-

the ip host command as per documentation "When Cisco ISE processes an authorization profile redirect URL, it replaces the IP address with the FQDN of the Cisco ISE node." --> will this work with google/public dns servers?

also if i make a entry on ise like below will this work?

ise1 :- ip host 10.10.10.1 guestsevice guestservice.cisco.com

ise2 :- ip host 10.10.10.2 guestsevice guestservice.cisco.com

even will we need to different authorization rules and guest portal or one authorization & guest portal can do the work?

Need the best solution?

Hi

Francesco Molino — Mon, 13 Feb 2017 02:08:57 GMT

Using DNS could be a solution. However, the wlc will send the request to 1 ISE and the customer will be redirect on the portal based on fqdn. If you're using round robin you can face an issue: I mean you can be redirected to 1 use while the session is on the 2nd one. In that case, users won't be able to get the portal and authenticate.

You can found some free load balancer on Linux to achieve that goal.

There is also another solution by using anycast capabilities on the routing side.

There is good blog done (I won't re-explain all as it is well described): http://www.networkworld.com/article/3074954/security/how-to-use-anycast-to-provide-high-availability-to-a-radius-server.html

In same cases and based on customer environment I'm using 1 of the other solution.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

topic Hi in Network Access Control

Cisco ISE Guest 2 node deployment

Hi