https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515517#M537056 <HTML><HEAD></HEAD><BODY><P>Mainly during failover. In case that the auth requests fail over to the secondary LDAP and the connections are active, I would expect ISE continuing with the secondary LDAP until the connections are closed or failed.</P></BODY></HTML> Tue, 08 Nov 2016 17:24:41 GMT hslai 2016-11-08T17:24:41Z https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515516#M537055 <HTML><HEAD></HEAD><BODY><P>Would like clarification on this from the Admin Guide:</P><P></P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#ID917" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#ID917">Cisco Identity Services Engine Administrator Guide, Release 2.1 - Manage Users and External Identity Sources [Cisco Ide…</A></P><P></P><P><EM>Cisco ISE always uses the primary LDAP server to obtain groups and attributes for use in authorization policies from the Admin portal, so the primary LDAP server must be accessible when you configure these items. Cisco ISE uses the secondary LDAP server only for authentications and authorizations at run time, according to the failover configuration.</EM></P><P></P><P>Can you explain the last sentence? Does this imply that the secondary server is used when the primary is up and running or just during a failover event and the primary is no longer available?&nbsp; Trying to determine authentication degradation if the secondary LDAP server was to fail or there was a misconfiguration on the secondary server.&nbsp; If the primary was still up, would there be any interruption of authentications.</P></BODY></HTML> Tue, 08 Nov 2016 13:34:47 GMT https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515516#M537055 scamarda 2016-11-08T13:34:47Z https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515517#M537056 <HTML><HEAD></HEAD><BODY><P>Mainly during failover. In case that the auth requests fail over to the secondary LDAP and the connections are active, I would expect ISE continuing with the secondary LDAP until the connections are closed or failed.</P></BODY></HTML> Tue, 08 Nov 2016 17:24:41 GMT https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515517#M537056 hslai 2016-11-08T17:24:41Z https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515518#M537057 <HTML><HEAD></HEAD><BODY><P>Ok. Thank you.</P></BODY></HTML> Thu, 10 Nov 2016 04:55:03 GMT https://community.cisco.com/t5/network-access-control/ldap-external-identity-source-primary-secondary/m-p/3515518#M537057 scamarda 2016-11-10T04:55:03Z