topic Re: How to Configure AD Fail over for ISE 1.4? in Network Access Control

How to Configure AD Fail over for ISE 1.4?

ahmedsaif — Mon, 29 Jan 2018 12:53:50 GMT

Hello,

We had recently experienced a situation where the ISE was having issue reaching one of the Domain Controllers (DCs) for authentication and was not able to fail-over to another one. The ISE was however seeing the RADIUS server as active but the DC was down. This caused the authentication to fail completely for several sites.

How to design the ISE setup to avoid such issues in the future?

Thanks

Re: How to Configure AD Fail over for ISE 1.4?

vrostowsky — Mon, 29 Jan 2018 15:06:09 GMT

Saif-

you would need multiple ISE servers, with each using a different domain controller. The main settings will be on the switches defining the RADIUS and timeouts. (something like below)

radius server RADIUS1

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 15

retransmit 3

key "RADIUS passphrase"

radius server RADIUS2

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 15

retransmit 3

key "RADIUS passphrase"

aaa group server radius RADIUS

server name RADIUS1

server name RADIUS2

ip radius source-interface vlan x

deadtime 15

aaa server radius dynamic-author

client x.x.x.x server-key "RADIUS passphrase"

radius-server dead-criteria time 10 tries 3

Re: How to Configure AD Fail over for ISE 1.4?

Jason Kunst — Mon, 29 Jan 2018 15:45:29 GMT

Recommendation will be to configure your active directory services to be redundant. If ISE is failing to authenticate users against one domain controller then it should switch to another domain controller depending on what your domain services return as the domain controller

Another option is to configure your switch with a radius test user in the domain. If that were to fail and you could fill open with critical auth services on the switch

Re: How to Configure AD Fail over for ISE 1.4?

hslai — Mon, 29 Jan 2018 18:46:49 GMT

It would be good to understand why DC failover not happening. As Jason suggested, ensure AD infrastructure already properly configured with Sites and Services with good redundancy. If that already checked ok, then please engage Cisco TAC to see if it an ISE bug and if a patch available for it.

Cisco ISE 1.4 EoS/EoL shows only Severity-1 and security vulnerability bugs are being addressed so please do plan to upgrade in the near future.

Re: How to Configure AD Fail over for ISE 1.4?

ahmedsaif — Mon, 29 Jan 2018 20:10:13 GMT

Vince, the template I have been using in my environment is the same as mentioned by you. The only thing I am are the below two commands:

1. retransmit

2. timeout

Re: How to Configure AD Fail over for ISE 1.4?

ahmedsaif — Mon, 29 Jan 2018 20:16:38 GMT

Jason,

The AD has been configured with redundancy, with 3 inherent DCs. However, for ISE the RADIUS server is up and active but the DC is dead and for some reason the ISE is unable to fail over to another DC unless ISE is rebooted.

Hslal, We already have the plan to upgrade to a later version but for now we have started to face this this issue more frequently and need to return to a stable state before going for the upgrade

Re: How to Configure AD Fail over for ISE 1.4?

vrostowsky — Mon, 29 Jan 2018 20:24:06 GMT

Saif-

on your core switch run the command:

sh aaa server

(this should show multiple servers ) you should also see : State: current UP

as for the ISE end, i believe I have seen issues with some Server 2012R2 DC's because of SMB versions, but i have had no issues with 2010 DC's. Check If you can see that the AD connector is good in ISE, and you can query the AD groups. I can't remember if ISE 1.4 has the "Diagnostic Tool" to test DNS, LDAP, Kerberos and System health as it does in ISE 2.x

Vince