https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392573#M88588 <HTML><HEAD></HEAD><BODY><P>I doubt you can force a re-auth when the first ise becomes available again, but it should change back to it once the re-auth timer expires for the dot1x sessions on the switch, and the client will be re-authenticated.</P></BODY></HTML> Wed, 29 Jan 2014 00:33:47 GMT jan.nielsen 2014-01-29T00:33:47Z https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392571#M88586 <P>Hi</P><P>I have 2 ISE 1.2</P><P>I configured ISE1(192.168.1.1) as primary for PAN, MNT and PSN and it work fine</P><P>Now I am configuring ISE2(192.168.2.1) as secondary PAN, MNT and PSN</P><P></P><P>In normal situation, the user are authenticated on ISE1</P><P>My goal : </P><P>If ISE1 is unavailable, user are authenticated on ISE2</P><P>Then as soon as ISE1 become again available, user must be authenticated again on ISE1</P><P></P><P></P><P>I configured it,&nbsp; but it dont work (see below my configuration)</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>radius-server dead-criteria time 5 tries 3</P><P>radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key Password123</P><P>radius-server host 192.168.2.1 auth-port 1812 acct-port 1813 key Password123</P><P>radius-server retry method reorder</P><P>radius-server transaction max-tries 3</P><P>radius-server retransmit 1</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>When ISE1 become again available, user remain authenticated on ISE2</P><P><SPAN style="font-size: 10pt;">How to configure the switch to achieve My goal (</SPAN><SPAN style="font-size: 10pt;">ISE1 become again available, user must be authenticated again on ISE1)</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Please help</SPAN></P><P><SPAN style="font-size: 10pt;">Thanks in advance</SPAN></P> Mon, 11 Mar 2019 04:18:25 GMT https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392571#M88586 nicanor00 2019-03-11T04:18:25Z https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392572#M88587 <HTML><HEAD></HEAD><BODY><P> As per my knowledge When a primary Monitoring ISE node goes down, the secondary Monitoring&nbsp; ISE node takes over all monitoring and troubleshooting information. The&nbsp; secondary node provides read-only capabilities, which means you cannot&nbsp; make configuration changes to that node. </P><P></P><P> <A name="wp1101486"></A></P><P> To make configuration changes on the secondary node, the administrator&nbsp; must first manually promote the secondary node to a primary role. If the&nbsp; primary node comes back up after the secondary node has been promoted,&nbsp; it assumes the secondary role. If the secondary node was not promoted,&nbsp; the primary Monitoring ISE node will resume its role after it comes back&nbsp; up. </P><P></P><P>For configuration help you can see the below link</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1087439">http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1087439</A></P></BODY></HTML> Tue, 28 Jan 2014 22:36:04 GMT https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392572#M88587 Ravi Singh 2014-01-28T22:36:04Z https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392573#M88588 <HTML><HEAD></HEAD><BODY><P>I doubt you can force a re-auth when the first ise becomes available again, but it should change back to it once the re-auth timer expires for the dot1x sessions on the switch, and the client will be re-authenticated.</P></BODY></HTML> Wed, 29 Jan 2014 00:33:47 GMT https://community.cisco.com/t5/network-access-control/ise-fall-back/m-p/2392573#M88588 jan.nielsen 2014-01-29T00:33:47Z