Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1743
Views
0
Helpful
3
Replies

ISE PSN Failover

Go to solution
Terry
Level 1
Level 1

‎07-21-2019 04:22 AM

Hi, we have a 2 node ISE deployment with authentication requests going to ISE1. This is configured for multiple different connection types and all works as expected. However, when I test the PSN failover by removing ISE1 from the network I have issues with wired DOT1X connections (EAP-TLS). In the logs I am seeing attempts to ISE2 but the following error:

 

5440 Endpoint abandoned EAP session and started new

 

I have tried resetting the client NIC / rebooting and removing the client from ISE but still experience the same problem.

 

When I bring ISE1 back online everything works again as it should.

 

Any help on this would be appreciated.

 

Thanks

Terry

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-21-2019 05:09 AM

The most common cause would be a certificate issue. Do the PSN certificates match on both nodes? Typically we would have a single certificate with SANs for each node.

Are you using native supplicant? If so do you have "Verify the server's identity..." (certificate matching) checked in the supplicant configuration? See step 9 here:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-21-2019 05:09 AM

The most common cause would be a certificate issue. Do the PSN certificates match on both nodes? Typically we would have a single certificate with SANs for each node.

Are you using native supplicant? If so do you have "Verify the server's identity..." (certificate matching) checked in the supplicant configuration? See step 9 here:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

0 Helpful

Go to solution
Terry
Level 1
Level 1
In response to Marvin Rhoads

‎07-21-2019 06:21 AM

Hi Marvin
Thanks for your reply.
Each node has its own certificate issued by the CA hierarchy with its FQDN in the CN, the SAN option is not being used.
The identity certificate on both nodes have the EAP service associated and both have the correct CA root / chain installed.
I'm just double checking the Windows native supplicant, but would expect this to be ok as we don't have a problem with connections to ISE1.
I can't see a problem with the above setup, but am I missing something with regards to the SAN option?
Thanks
Terry

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Terry

‎07-21-2019 06:55 AM

Check the step section of the auth details report and see how far it got. You might also need debugging on the client side. Or, restart ISE services on the second node. Please engage Cisco TAC if you need help troubleshooting it further.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents