topic Re: When a Policy Service ISE in Network Access Control

Cisco ISE - Session failover

Prasan Venky — Mon, 11 Mar 2019 05:45:46 GMT

Dear All,

Even after creating Node group between PSN's, session failover is not happening. Any help is really appreciated.

Node groups do not enable

jan.nielsen — Thu, 28 May 2015 14:33:49 GMT

Node groups do not enable session failover, for other sessions than the ones that are in the progress of being authenticated when the node down is detected. Don't expect any kind of replication of sessions between psn's. A session that is already authenticated&authorized, will stay that way until someone pulls the cable, or the re-auth timer expires, in which case the switch will detect that the psn is down, and change to the next psn in your radius group.

When a Policy Service ISE

Venkatesh Attuluri — Wed, 03 Jun 2015 10:00:02 GMT

When a Policy Service ISE node that has a few active sessions goes down, the endpoints are stuck in an intermediate state.one of its peers from the node group learns about the active sessions on the failed node and issues a CoA to disconnect those sessions. As a result, restarts and the sessions are handled by another Policy Service ISE node that is available . The session failover does not automatically move the sessions over from a Policy Service ISE node that has gone down to one that is available, but issues a CoA to achieve that.

Re: When a Policy Service ISE

fatalXerror — Sun, 03 Mar 2019 06:19:23 GMT

hi @Venkatesh Attuluri ,

I am planning to have my deployment to be upgraded and i need to minimize the interruption. Technically, the other PSNs will take it over by using CoA but is it transparent from the user's perspective?

Also, is it true that if I change manually the radius authentication order from my primary PSN to my other PSN in my NAD, the users will be disconnected?

Thanks

Re: When a Policy Service ISE

Damien Miller — Tue, 05 Mar 2019 03:04:30 GMT

When you reload a PSN, no COA is sent to the switch. The node goes down silently from the NAD and endpoint perspective. The completed authentication sessions remain as they did while the node was up. New sessions will be sent to the remaining PSN's based on the radius server configuration on the switch (or load balancer).

The second piece, if you change the radius server order on your switch it will not reset the authentication sessions. Any authenticated sessions remain untouched, new sessions and accounting updates will leverage the new primary server when the switch goes to send them. Alternatively, if you leave your radius server config untouched, take down the primary node for that switch, the NAD will have to detect that the PSN is down, either via automated tester or radius timeouts.

Re: When a Policy Service ISE

fatalXerror — Tue, 05 Mar 2019 18:49:47 GMT

Hi @Damien Miller ,

Thanks for the feedback.

Sorry but regarding the second concern, is that tested that if I change the radius server order of my NAD the authenticated user sessions will not be dropped? I just want to confirm because I have mix answers roaming around here in the community and even TAC.

Thank a lot.