https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977690#M24502 <P>One thing to keep in mind here is that the maximum round trip delay between the nodes has to be &lt; 300 ms. Anything over that will not be supported by Cisco TAC and you might encounter database replication issues. If the delay is &gt; 300 ms then you will need to deploy two separate instances of ISE that are not replicating to each other.&nbsp;</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Wed, 11 Jan 2017 18:16:43 GMT nspasov 2017-01-11T18:16:43Z https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977687#M24495 <P>Hi,<BR /> <SCRIPT src="https://dpm.demdex.net/id?d_visid_ver=1.5.6&amp;d_rtbd=json&amp;d_ver=2&amp;d_orgid=B8D07FF4520E94C10A490D4C%40AdobeOrg&amp;d_nsid=0&amp;d_mid=59422263365916656242409819833846430863&amp;d_blob=NRX38WO0n5BH8Th-nqAG_A&amp;d_cb=s_c_il%5B2%5D._setMarketingCloudFields" type="text/javascript" async="async"></SCRIPT> </P> <SECTION class="clearfix" id="j-main"> <DIV class="clearfix" id="jive-body"> <DIV class="j-layout j-layout-ls clearfix"> <DIV class="j-column-wrap-l"> <DIV class="j-column j-column-l lg-margin"> <DIV class="jive-thread-messages" id="jive-thread-messages-container" role="main"> <DIV class="jive-content j-op j-rc4 " role="article"> <DIV class="j-thread-post j-rc4 "> <SECTION class="j-original-message"> <DIV class="jive-rendered-content"> <P>&nbsp;</P> <P>I have a use case where i need to configure ISE at two different geographical locations: &nbsp;HO (India) and BO (USA).</P> <P>Requirement is, if the ISE server fails at US Branch, all the endpoints must automatically fail-over to HO (India) and the endpoints in US must be 802.1x authenticated and the authorization policy to be given by HO ISE server. However, to achieve this i don't see secondary ISE point configuration is Switch.</P> <P>ISE configuration(Standalone deployment), Integration with NAD and AD, dot1x etc, is much familiar to me. But, internet documents are not helping much in this requirement.</P> <P>Can someone give much clarity to achieve the fail-over part for this use case pls?</P> <P></P> <P>Thanks,</P> <P>Sagar</P> </DIV> </SECTION> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </SECTION> Mon, 11 Mar 2019 07:20:51 GMT https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977687#M24495 prado1985 2019-03-11T07:20:51Z https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977688#M24498 <P>If both nodes are acting as Policy Nodes (PSN), you can have both as Radius servers in a aaa server group. The second radius server in the group acts as backup in case first one is not reachable. Example to configure that on a switch is here:</P> <P>http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-3se/5700/sec-usr-rad-xe-3se-5700-book/sec-rad-aaa-server-groups.html#GUID-5B656046-CF52-4B95-8292-71EC081FD041</P> <P>As seen in the example above, you would then call your AAA group in the "aaa authentication" and "aaa authorization" commands.</P> Tue, 10 Jan 2017 17:03:56 GMT https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977688#M24498 Rahul Govindan 2017-01-10T17:03:56Z https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977689#M24499 <P>Hi Rahul,</P> <P></P> <P>Thank you for your valuable response. I'll implement as per the reference example and revert with the result.</P> <P></P> <P>Thanks again,</P> <P>Pradeep</P> Wed, 11 Jan 2017 12:33:27 GMT https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977689#M24499 prado1985 2017-01-11T12:33:27Z https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977690#M24502 <P>One thing to keep in mind here is that the maximum round trip delay between the nodes has to be &lt; 300 ms. Anything over that will not be supported by Cisco TAC and you might encounter database replication issues. If the delay is &gt; 300 ms then you will need to deploy two separate instances of ISE that are not replicating to each other.&nbsp;</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Wed, 11 Jan 2017 18:16:43 GMT https://community.cisco.com/t5/network-access-control/ise-redundancy-failover-over-distributed-environment-at/m-p/2977690#M24502 nspasov 2017-01-11T18:16:43Z