Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
15
Helpful
5
Replies

How to enable Auto Pan Fail over?

jakeraze
Level 1
Level 1

‎10-13-2019 11:49 PM

Hi Sirs,

 

New to ISE. just want to know if how can we enable auto pan failover when we only have 2 ISE Device.

 

Thank you in advance.

0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎10-14-2019 03:05 AM

If its standalone deployment, then auto failover isn't support. For
distributed deployment, see this link.

*** remember to rate useful posts
0 Helpful

#Mat
Level 6
Level 6

‎10-14-2019 11:43 AM

Hi. With two nodes, you can't enable auto-failover. You need, at least, three nodes. Two PAN and a PSN for the heartbeat.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.html#reference_58F40B0E4D354B4DBB9940E4DB8DC8ED

 

Regards.-

 

HTH

.

Damien Miller
VIP Alumni
VIP Alumni
In response to #Mat

‎10-14-2019 12:18 PM

To be fair, no one should have a three node deployment if following the ISE best practices. You would have a four node hybrid, keeping psns dedicated.

If the third node was solely for health check, when the second PAN went to fail over, the 15 minute reload during automatic failover would cause an authentication outage.

jakeraze
Level 1
Level 1
In response to Damien Miller

‎10-14-2019 10:14 PM

Thank you all for your response. appreciate it.

 

Currently we set up this 2 ISE devices as Primary and Secondary. I though once Primary is down. my Network device won't authenticate unless i promote the secondary ise as Primary but i tried it on the lab and the result is even when it's on secondary state. my Switch can still authenticate. No need to promote the secondary to be primary at all.

 

We're only planning to use this ISE as authentication of our network devices and also for Meraki clients.

 

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to jakeraze

‎10-15-2019 12:01 AM

Hi, it seems that you are using primary and secondary in standalone mode. Auto PAN not supported.

Also, you don't need to promote secondary to authenticate the endpoints when primary is down. What you need is to point your NAD devices to both ISE nodes (pri and sec). Then you can specify which node is the primary for each NAD when you add devices to ISE. Otherwise will be automatically selected. This way even if the primary goes down the secondary will automatically support. The benefit of selecting the primary node for each device is to make sure that profiling works fine.


**** remember to rate useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents