https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417836#M567849 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/347992">@craiglebutt</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;If you are using a <STRONG>Load Balancer</STRONG>, you are able to block the <STRONG>WLC</STRONG> access to the <STRONG>PSN</STRONG> (by blocking the <STRONG>Authentication Port - 1812</STRONG>) until the upgrade process completes.</P><P class="lia-align-justify">&nbsp;If you are not using a <STRONG>Load Balancer</STRONG>, you can do the same with an <STRONG>ACL</STRONG> at the <STRONG>PSN's Default GW</STRONG>.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Mon, 14 Jun 2021 12:57:41 GMT Marcelo Morais 2021-06-14T12:57:41Z https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417758#M567845 <P>Hi</P><P><BR />Upgrading the deployment, by building new Node and restoring the backup.</P><P>My WLAN has all my PSNs in for resilience for Radius,</P><P>The first PSN go to update is the first one in radius settings.</P><P>Unfortunately devices are trying to auth before completing the upgrade, I can't take the&nbsp; IP out of the WLAN as will drop the WLAN for a split second.</P><P>If a device fails to auth against the first node, should it in theory try the 2nd node, or does that only come in to play if the Node is not responding?</P><P>I've changed the shared secret on the WLC so doesn't match the PSN, hoping this will force the devices to try another PSN.</P><P>&nbsp;</P><P>Cheers</P><P>&nbsp;</P> Mon, 14 Jun 2021 11:01:48 GMT https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417758#M567845 craiglebutt 2021-06-14T11:01:48Z https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417836#M567849 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/347992">@craiglebutt</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;If you are using a <STRONG>Load Balancer</STRONG>, you are able to block the <STRONG>WLC</STRONG> access to the <STRONG>PSN</STRONG> (by blocking the <STRONG>Authentication Port - 1812</STRONG>) until the upgrade process completes.</P><P class="lia-align-justify">&nbsp;If you are not using a <STRONG>Load Balancer</STRONG>, you can do the same with an <STRONG>ACL</STRONG> at the <STRONG>PSN's Default GW</STRONG>.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Mon, 14 Jun 2021 12:57:41 GMT https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417836#M567849 Marcelo Morais 2021-06-14T12:57:41Z https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417847#M567850 <P>Hi, Craigle.</P><P>&nbsp;</P><P>I think changing the shared secret is a good idea, I encountered a similar case on my migration, where I was wondering why the network device is authenticating on the secondary PSN while we already set the network device to authenticate to the primary PSN.<BR /><BR />We later then found out from the logs that there were attempts to authenticate on the primary PSN but the shared secret was incorrect thus authenticating to the secondary PSN.</P><P>&nbsp;</P><P>Hope this helps.</P> Mon, 14 Jun 2021 13:18:36 GMT https://community.cisco.com/t5/network-access-control/upgrading-2-2-to-2-7/m-p/4417847#M567850 jj2048 2021-06-14T13:18:36Z