topic Re: ISE Deploymet - which ise has processed the request in Network Access Control

ISE Deploymet - which ise has processed the request

mgollob — Mon, 08 Jan 2024 09:29:34 GMT

Hello,

I have an ISE deployment consisting of 2 nodes. However, for the policy set I need to know which ISE processed the request. If I look in the Radius log, there is a Policy Server item and then the host name of the ISE. How can I check in my Authorization Profile which ISE has processed it so that I can return a different result?

Re: ISE Deploymet - which ise has processed the request

Mark Elsen — Mon, 08 Jan 2024 09:33:34 GMT

- The need for this requirement is unclear for me and not possible because from Policy (policies) Server (implemented) to handling is a one way flow ; please elaborate if needed ,

Re: ISE Deploymet - which ise has processed the request

MHM Cisco World — Mon, 08 Jan 2024 12:07:15 GMT

check below

MHM

Re: ISE Deploymet - which ise has processed the request

Karsten Iwen — Mon, 08 Jan 2024 09:45:23 GMT

Try "ISE Host Name" from the "Network Access" directory. But you should better tell what you want to achieve. My first impression is that it is likely a horrible idea that you have here.

Re: ISE Deploymet - which ise has processed the request

mgollob — Mon, 08 Jan 2024 10:29:47 GMT

I am in the process of implementing an ISE Guest solution and have a deployment with 2 nodes. I need 2 authorization profiles, each with a different redirect link to the guest portal, depending on which ISE is processing the request and therefore I need to know which PSN is processing it so that I can provide the correct link. It is for redundancy reasons.

Re: ISE Deploymet - which ise has processed the request

MHM Cisco World — Mon, 08 Jan 2024 10:45:09 GMT

so your NAD is WLC
do you config both ISE under WLAN ?
MHM

Re: ISE Deploymet - which ise has processed the request

Karsten Iwen — Mon, 08 Jan 2024 11:04:47 GMT

For redundancy, you want both ISEs to behave in the same way. For the redirect, by default, the ISE uses the FQDN of the ISE that handles the request. No need to configure two different authorization profiles.

Re: ISE Deploymet - which ise has processed the request

MHM Cisco World — Mon, 08 Jan 2024 11:50:00 GMT

you are correct
let me check this point
FQDN is not relate to this case
MHM

Re: ISE Deploymet - which ise has processed the request

MHM Cisco World — Mon, 08 Jan 2024 12:06:46 GMT

https://community.cisco.com/t5/network-access-control/ise-2-1-multiple-psns-with-cwa-guest-without-load-balancer/td-p/3534288

as I mention you are correct
the issue is two ISE need load balance
if there is no then you need two authz profile
check link I share
the FQDN is not relate to anything here

MHM

Re: ISE Deploymet - which ise has processed the request

thomas — Mon, 08 Jan 2024 15:52:28 GMT

In the ISE LiveLogs, there is a Server column that tells you clearly by name which ISE node/PSN handled the request. Make sure you have the column enabled and you may need to scroll far to the right to see it for a LiveLog entry.

As others have mentioned, you typically want your policy to be consistent between all ISE nodes otherwise it can be complicated. However, if you are absolutely certain you want this, you may create a Policy Set Authorization Rule that uses the condition Network Access:ISE Hostname EQUALS ise-name .

Re: ISE Deploymet - which ise has processed the request

mgollob — Mon, 08 Jan 2024 15:58:11 GMT

thank you very much 🙂 yes this solution also worked for me, but I don't need it anymore because Karsten Iwen's answer worked perfectly. I just removed the static entry and it automatically uses the PSN from which the request is processed 🙂

Re: ISE Deploymet - which ise has processed the request

MHM Cisco World — Mon, 08 Jan 2024 16:04:34 GMT

Sorry @thomas

So can confirm that he can use both ISE as redundacy for CWA without F5 ?

Thanks alot

MHM

Re: ISE Deploymet - which ise has processed the request

mgollob — Mon, 08 Jan 2024 16:10:48 GMT

yes, no load balancer is needed for the guest portal, as long as it is okay to have two different domains. Depending on which ISE is processing the request, the correct fqdn will be returned if it has not been entered statically. If this is entered statically, you can do it with a second authorization profile and a check with the hostname and return a different redirect link.

Re: ISE Deploymet - which ise has processed the request

thomas — Mon, 08 Jan 2024 17:03:06 GMT

@MHM Cisco World , you want multiple ISE nodes for AAA (RADIUS/TACACS+) service redundancy.

ISE is not a load balancer and will not magically forward or balance requests between two ISE nodes. For this you still need an actual load balancer. Watch the ISE Webinar ▷ Cloud Load Balancing with ISE for more details and examples.

If your network devices send all requests to the same ISE node without a load balancer, only one ISE node will receive and handle the requests.