https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955827#M37694 <P>James,</P> <P>You can have multiple AD joint points for different domains. &nbsp;You can use those as store sequence in case of one AD failover.</P> <P>Regards</P> <P>Gagan</P> <P>ps : rate if it helps!!!</P> Mon, 07 Nov 2016 12:37:26 GMT Gagandeep Singh 2016-11-07T12:37:26Z https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955824#M37690 <P>Hi All,</P> <P></P> <P>We are running ISE 2.1 Patch 1 and ran into an interesting problem yesterday where our Primary PSN dis-joined from the domain which meant our&nbsp;SOE machines were failing 802.1X and falling back to MAB.</P> <P></P> <P>Are&nbsp;there any other failover mechanisms for AD authentication (short of failing over to the secondary PSN) that we can implement if this was to happen again?&nbsp; Has this happened to anyone before?&nbsp;</P> <P></P> <P>Thanks,</P> <P></P> <P>James</P> Mon, 11 Mar 2019 07:12:31 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955824#M37690 James Paton 2019-03-11T07:12:31Z https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955825#M37691 <P>Hi James,</P> <P>If your PSN got disconnected from AD domain. But the PSN is still active. Failover will happen when primary PSN gets down then it will failover to next configured PSN on NAD.</P> <P></P> <P>However, if you can use identity store sequence in ISE in order to move from AD to LDAP/internal/RSA as per your configuration.</P> <P></P> <P>Hope it helps!!!</P> <P></P> <P>Regards</P> <P>Gagan</P> <P>ps : rate if it helps!!!</P> Mon, 07 Nov 2016 08:53:17 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955825#M37691 Gagandeep Singh 2016-11-07T08:53:17Z https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955826#M37693 <P>Hi Gagan,</P> <P></P> <P>What if we are only using AD, what are our options if our primary PSN is removed from the domain and the node is still active?&nbsp; Can we use different AD join points or sequences?</P> <P></P> <P>Thanks,</P> <P></P> <P>James</P> Mon, 07 Nov 2016 10:00:34 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955826#M37693 James Paton 2016-11-07T10:00:34Z https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955827#M37694 <P>James,</P> <P>You can have multiple AD joint points for different domains. &nbsp;You can use those as store sequence in case of one AD failover.</P> <P>Regards</P> <P>Gagan</P> <P>ps : rate if it helps!!!</P> Mon, 07 Nov 2016 12:37:26 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955827#M37694 Gagandeep Singh 2016-11-07T12:37:26Z https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955828#M37695 <P>Thanks Gagan,</P> <P></P> <P>LDAP looks like it will overcome and provide a failover if the PSN is dis-joined from the domain.</P> <P></P> <P>James</P> Mon, 07 Nov 2016 20:22:21 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955828#M37695 James Paton 2016-11-07T20:22:21Z https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955829#M37696 <P>Your welcome:).</P> <P></P> Mon, 07 Nov 2016 20:29:00 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-ldap/m-p/2955829#M37696 Gagandeep Singh 2016-11-07T20:29:00Z