topic Re: ISE radius auth via secondary node in Network Access Control

ISE radius auth via secondary node

manvik — Mon, 28 Nov 2022 13:15:39 GMT

We have a 2 node setup with primary ISE node in DC and secondary ISE nod ein DR. All personas(admin, policy, monitoring) are in one node.

Anyconnect VPN users connect to ASA and then to ISE for authentication, so far everything working fine when users connect to DC ASA and ISE.

We are confused, whether Anyconnect auth work if users connect to DR ASA and then to DR ISE. DC ISE is primary for all personas.

Re: ISE radius auth via secondary node

Milos_Jovanovic — Mon, 28 Nov 2022 20:03:38 GMT

Hi @manvik,

You need to enable all pesonas on second ISE node too (if not already, it's bit unclear from original post). Once enabled, DR ISE will also be able to process AAA traffic, so your scenarion where you are using DR ASA and DR ISE would work.

Kind regards,

Milos

Re: ISE radius auth via secondary node

Ambuj M — Mon, 28 Nov 2022 20:18:45 GMT

all authentication is go to ISE in primary DC by default unless you have some kind of load balancing going on, since its DR site I highly doubt that.

The radius server (auth server group) should be configured under tunnel-group on the ASA, for test under maintenance window you can change the ISE server order making DR ISE as primary and see if the authentication starts going through DR and it works.

if the secondary ISE is in server-group and working fine, it should work, usually these things are tested before deployment, but you can always test it simply by changing DR ISE as primary radius on ASA.

Re: ISE radius auth via secondary node

manvik — Tue, 29 Nov 2022 11:46:32 GMT

all personas are enabled on both nodes. DC ISE is primary role and DR ISE is secondary role.

When a user connects to DR VPN, ISE log shows policy server as DC ISE.

Is there a way for DR ISE to be policy server.

Re: ISE radius auth via secondary node

Marvin Rhoads — Tue, 29 Nov 2022 13:28:01 GMT

An ASA will use the configured AAA servers (ISE nodes in your case with PSN role) in the order they are specified in the configuration (aaa-server-group). As long as the first server is responding to RADIUS requests, the ASA will always use it.

To perform a test of the secondary ISE node you can do a manual test from the ASA (ASDM or cli) specifying that node or temporarily remove the primary node from your config (or block reachability to the primary node in some other way).

Re: ISE radius auth via secondary node

Milos_Jovanovic — Tue, 29 Nov 2022 13:40:32 GMT

Alternatively to what @Marvin Rhoads suggested, you can manually change order of aaa-server configuration on your DR ASA - to use DR ISE first, and DC ISE as a second. That way, your DR ASA will always talk to nearest ISE, and you should also be able to see it in the logs.

Kind regards,

Milos

Re: ISE radius auth via secondary node

manvik — Wed, 30 Nov 2022 04:12:27 GMT

thank you all, ASA has DR ISE as primary AAA, still the DC ISE servers as policy node.

Is there a way DR ISE serves as policy node for requesting coming to it.

Re: ISE radius auth via secondary node

Milos_Jovanovic — Wed, 30 Nov 2022 07:03:29 GMT

Could you please post output of the "show run aaa-server your_RADIUS_group", "show aaa-server your_RADIUS_group" and "show run tunnel-group relevant_tunnel-group"?

If DR ISE is configured as primary server on ASA, and all is ok with ISE (e.g. PSN role enabled, network device added, etc.), then there is no obvious reason why DC ISE would be contacted instead of DR ISE.

Kind regards,

Milos

Re: ISE radius auth via secondary node

manvik — Wed, 30 Nov 2022 07:09:54 GMT

DR ISE has PSN role enabled, network device added, etc.

In ISE deployment, DC ISE is primary and DR ISE is secondary role.

Re: ISE radius auth via secondary node

Milos_Jovanovic — Wed, 30 Nov 2022 07:20:21 GMT

What is the server status on ASA with "show aaa-server" - active or failed?

If active, and everything else seems to be ok, then I would advise to open a TAC case, as there isn't much that community can help with.

Kind regards,

Milos

Re: ISE radius auth via secondary node

manvik — Tue, 13 Dec 2022 10:27:29 GMT

The TAC had looked into this, issue was related to certificates. New self signed cert was generated and wass placed in both DC&DR ISE.