https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573437#M517058 <HTML><HEAD></HEAD><BODY><P>Thanks Craig.</P><P>Do you know if ACS also supports these failover scenarios for AD and LDAP ?</P><P>Customer has ACS 5.8 but I am first trying to understand how its done in ISE and explore the same in ACS.</P><P></P><P></P><P></P><P></P><P>Thanks,</P><P>Utkarsh</P></BODY></HTML> Mon, 14 May 2018 23:32:47 GMT umahar 2018-05-14T23:32:47Z https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573433#M517053 <HTML><HEAD></HEAD><BODY><P>Hi experts,</P><P></P><P>How is high availability between PSNs and local AD/LDAP maintained ?</P><P>In a distributed environment we add the fqdn of the domain on Admin Node and then all PSNs get joined to their local domain controller.</P><P>If that local domain controller fails does the PSN automatically joins the next domain controller in the DNS response ?</P><P>Do we need to register the PSN again when that failure happens ?</P><P></P><P>Appreciate if you can comment on various challenges in achieving high availability between ISE and AD/LDAP servers in a distributed environment. </P></BODY></HTML> Mon, 14 May 2018 21:25:38 GMT https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573433#M517053 umahar 2018-05-14T21:25:38Z https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573434#M517054 <HTML><HEAD></HEAD><BODY><P>Specific to integration with AD join points, yes, ISE will try the next domain controllers as defined by Active Directory Site and Services.</P><P><SPAN style="font-size: 10pt;">As to LDAP, the HA is achieved by enabling secondary server.</SPAN></P></BODY></HTML> Mon, 14 May 2018 21:32:04 GMT https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573434#M517054 hslai 2018-05-14T21:32:04Z https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573435#M517055 <HTML><HEAD></HEAD><BODY><P>If the LDAP is defined by just one FQDN how would we add the secondary server ?</P><P>Customer has mentioned that DNS will return more than one IPs (primary and secondary ldap) for that FQDN. </P></BODY></HTML> Mon, 14 May 2018 21:55:00 GMT https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573435#M517055 umahar 2018-05-14T21:55:00Z https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573436#M517056 <HTML><HEAD></HEAD><BODY><P>LDAP supports secondary server per PSN as well as a "force reconnect" option to periodically update DNS reply.&nbsp; LDAP targets can point to real server or LB VIP.&nbsp; See BRKSEC-3699 posted to ciscolive.com for more info on LDAP HA.</P></BODY></HTML> Mon, 14 May 2018 23:09:08 GMT https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573436#M517056 Craig Hyps 2018-05-14T23:09:08Z https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573437#M517058 <HTML><HEAD></HEAD><BODY><P>Thanks Craig.</P><P>Do you know if ACS also supports these failover scenarios for AD and LDAP ?</P><P>Customer has ACS 5.8 but I am first trying to understand how its done in ISE and explore the same in ACS.</P><P></P><P></P><P></P><P></P><P>Thanks,</P><P>Utkarsh</P></BODY></HTML> Mon, 14 May 2018 23:32:47 GMT https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573437#M517058 umahar 2018-05-14T23:32:47Z https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573438#M517059 <HTML><HEAD></HEAD><BODY><TABLE border="1" class="E-451F249C table" style="margin: 6px 0; border: 0px; font-family: CiscoSans, Arial, sans-serif; font-size: 14px; font-style: normal; font-weight: normal; color: #58585b; text-align: start; text-indent: 0px;" width="100%"><TBODY class="tbody" style="font-family: inherit; font-size: inherit; font-style: inherit; font-weight: inherit;"><TR class="TablerowCSS27 E-451F249CFill row" style="margin: 0 auto; border: 0px solid transparent; font-family: inherit; font-size: inherit; font-style: inherit; font-weight: inherit;"><TD class="E-451F249CColRuling E-451F249CBoxC1 entry E-451F249CRowRuling B1_Body1-F9CE5028 E-451F249C-Table29-Body-Cell11-1" headers="reference_C49694FC52514E588F5B8774692111D3__ID1145__entry__1 " style="padding: 0 5px; border: 1px solid #c6c7ca; font-family: inherit; font-size: inherit; font-style: inherit; font-weight: inherit;"><P class="p" style="margin: 6px 0; font-family: inherit; font-size: 1.4rem; font-style: inherit; font-weight: 400; color: #58585b;"><SPAN style="font-size: 10pt;">Force reconnect every N seconds<SPAN class="Apple-converted-space"> </SPAN></SPAN></P></TD><TD class="entry E-451F249CRowRuling B1_Body1-F9CE5028 E-451F249CBoxC2 E-451F249C-Table29-Body-Cell11-2" headers="reference_C49694FC52514E588F5B8774692111D3__ID1145__entry__2 " style="padding: 0 5px; border: 1px solid #c6c7ca; font-family: inherit; font-size: inherit; font-style: inherit; font-weight: inherit;"><P class="p" style="margin: 6px 0; font-family: inherit; font-size: 1.4rem; font-style: inherit; font-weight: 400; color: #58585b;"><SPAN style="font-size: 10pt;">Check this check box and enter the desired value in the Seconds text box to force the server to renew LDAP connection at the specified time interval. The valid range is from 1 to 60 minutes.</SPAN></P></TD></TR></TBODY></TABLE><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">available in ISE 2.1+ only, but not in any of ACS 5.x. ACS 5.x does support 2nd LDAP server and the option for "Enable Deployment Configuration", which is equivalent to "Specify server for each ISE node" in ISE 2.2+.<BR /></SPAN></P></BODY></HTML> Tue, 15 May 2018 02:41:14 GMT https://community.cisco.com/t5/network-access-control/high-availability-for-ad-or-ldap-servers-in-distributed-ise/m-p/3573438#M517059 hslai 2018-05-15T02:41:14Z