https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4584908#M573855 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1337246">@shaheryar.khan</a> the switch will use the RADIUS Server (PSN) in the order they are configured, until marked as dead, then will use the next configured RADIUS server. You can use the <A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16-book/sec-rad-load-bal.html" target="_self">RADIUS Server Load Balancin</A>g feature which spreads the aaa load or preferrably a 3rd party Load Balancer, such as F5.</P> Mon, 04 Apr 2022 10:09:25 GMT Rob Ingram 2022-04-04T10:09:25Z https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4584879#M573852 <P><BR />Hello, everyone!</P><P><BR />Can someone explain how the switch decides whether to use the primary or secondary PSN when sending Tacacs or Radius authentication requests? It depends on how the switch is configured or something else.</P><P><BR />Thanks</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Mon, 04 Apr 2022 09:14:55 GMT https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4584879#M573852 shaheryar.khan 2022-04-04T09:14:55Z https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4584908#M573855 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1337246">@shaheryar.khan</a> the switch will use the RADIUS Server (PSN) in the order they are configured, until marked as dead, then will use the next configured RADIUS server. You can use the <A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16-book/sec-rad-load-bal.html" target="_self">RADIUS Server Load Balancin</A>g feature which spreads the aaa load or preferrably a 3rd party Load Balancer, such as F5.</P> Mon, 04 Apr 2022 10:09:25 GMT https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4584908#M573855 Rob Ingram 2022-04-04T10:09:25Z https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4585694#M573882 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1337246">@shaheryar.khan</a>&nbsp;</P> <P>&nbsp;</P> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;is correct regarding the RADIUS process - there is a concept of dead timer and dead criteria etc.</P> <P>But what about TACACS+ ? It's my experience on all Catalyst platforms, IOS-XE 16.x and greater, that there is no dead timer or dead criterion to work with. This means that when Primary TACACS+ server fails, then the IOS-XE device goes to the next candidate, until it finds success. Once the TCP transaction is completed, and the next TACACS+ auth comes along, the IOS-XE doesn't remember that Primary Server didn't respond, and it tries it again, top down.&nbsp; This is why we typically need a feature like deadtime to "hold down" the failing server until we think it's safe to use it again.</P> <P>The consequence of not having this dead "hold-down" timer is that the TACACS+ sessions becomes quite sluggish, as auth and authorization suffer a timeout penalty. The IOS-XE device will continue using on the Secondary TACACS+ server, but the CLI responses will feel sluggish.</P> <P>I have always wondered whether I am missing a trick, or whether this is by design in IOS-XE TACACS+ implementation.</P> Tue, 05 Apr 2022 01:01:19 GMT https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/4585694#M573882 Arne Bier 2022-04-05T01:01:19Z https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/5024344#M587658 <P>Dears</P> <P>I have the same issue with TACACS+ auth, I have ISE1 and ISE2, on the switch I ordered ISE2 then ISE1, and ISE2 is primary, ISE1 is secondary.</P> <P>why does the switch automatically authenticate from the secondary?</P> <P>NOTE: I did not run radius, only i test TACACS.</P> Mon, 26 Feb 2024 10:23:55 GMT https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/5024344#M587658 Ib_Reda 2024-02-26T10:23:55Z https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/5024717#M587687 <P>Share your IOS config here</P> <LI-CODE lang="markup">show run | section tacacs show run | include aaa show tacacs</LI-CODE> <P>As was mentioned before, deadtimer concept does not apply to TACACS AAA. It only applies to RADIUS AAA.</P> <P>TACACS will always <STRONG>try</STRONG> the first server you define in your tacacs Group, even if that server is unavailable.</P> Mon, 26 Feb 2024 22:01:01 GMT https://community.cisco.com/t5/network-access-control/ise-primary-and-secondary-psn-authentication-order/m-p/5024717#M587687 Arne Bier 2024-02-26T22:01:01Z