cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1389
Views
0
Helpful
6
Replies
Beginner

Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi,

How exactly failover works between two branches of ISE distributed ISE deployment ?

I have a requirement in ISE distributed deployment between two branches of an organization:

What i want to achieve is: failover between Branch Office1 in India and Branch Office2 in USA

Branch1 users connecting through local switch to IND-ISE, and Branch2 users connecting through local switch to US-ISE.

I have imported certificate from Branch2 and installed in Branch1. Now i have made Branch1 as primary and Branch2 as secondary node under the deployment option.

My requirement is, if the US-ISE node fails in Branch2, all the users should fall back to IND-ISE node in Branch1 so that the users in Branch2 can still have authenticated access with the respective authorization policies be applied based on the roles defined.

Few document says ISE has three nodes in general Admin node, Monitoring node and PSN node. However, while installing ISE we dont install it separately and we donot assign individual IP address to these 3 nodes individually. Can someone give more clarity on this ?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi Pradeep,

You can find more information about ISE personas (node types) here and more information about how failover for the admin node here.  The administration guide has a lot of good information about setting up ISE in a distributed deployment.

Regards,

-Tim

6 REPLIES 6
Cisco Employee

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi Pradeep,

You can find more information about ISE personas (node types) here and more information about how failover for the admin node here.  The administration guide has a lot of good information about setting up ISE in a distributed deployment.

Regards,

-Tim

Highlighted
Beginner

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi Tim,

Thanks for the response. I did refer these docs before posting my question. It didn't answer my specific scenario in the question.

Thanks again,

Pradeep

Cisco Employee

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Pradeep,

A distributed deployment has at minimum of 4 nodes:

2x Admin+MnT (each one phyiscal server or VM)

2x PSN (each one physical server or VM)

From an authentication perspective, the PSNs can failover and back in a number of ways.  Either behind a load balancer or configured as primary and secondary RADIUS servers on the switch.  Please see the section "Small Network Deployments" starting on page 5 of the document below:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGui…

Regards,

-Tim

Contributor

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi Tim,

i have similar question. in my environment, i have F5 LB for PSN traffic. when we tested PSN authentication traffic failover, there are 2 issues we try to understand:

1) when fail happened, all traffic sent to 2nd Radius server configured on Switch, which is correct. But after the 1st server recovery from failure, switch still keep sending authentication to the 2nd Radius server. Do you know why switch still use 2nd server instead fallback to 1st one?

2) when we shut down 1 PSN behind F5, switch seems thing the whole PSN group is down and shift to 2nd Radius server IP configured on switch. Is this normal?

Cisco Employee

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi,

Craig has some really great content on that subject and I think it will help you out.  Check out our ISE Load Balancing content here:  ISE Load Balancing

Regards,

-Tim

Contributor

Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Thanks, Tim.

i will take look.

Also I think the answer of my Q1 is the feature " radius-server retry method reorder " needs to be disabled.