Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
3
Helpful
5
Replies

Auth success in ISE02. but session connects in ISE01

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎08-03-2023 06:14 PM

2023-08-04 09 54 31.png

We are using Meraki, and we use ISE01,ISE02 as RADIUS SERVER.

Auth success in ISE02. but session connects in ISE01

Why is ISE02 trying to authenticate?

2023-08-04 10 09 24.png

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-06-2023 12:02 AM

With the endpoint data hidden, it's hard to see whether this is the same endpoint. But I assume it is. In that case, the blue icon indicates that this is Accounting (Session) data sent by the network device. Authentication was sent to ISE1, but the RADIUS Accounting was sent to ISE2 - the RADIUS server (ISE) doesn't make that decision - it's the network device that is sending it to a specified RADIUS server. Check whether you have the IP addresses of the ISE servers swapped around for Authentication and Accounting

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-23-2023 03:26 PM

RADIUS is a request/response protocol so your network devices are the ones requesting an authentication of an endpoint by ISE.

ISE has no control over which RADIUS server instance the network device (Meraki in this case) is going to send the request to. If you list both of your ISE instances in Meraki, it is free to choose either one. Every network device may implement a different algorithm for which server it uses. If you see alternate authentication requests by the same network device, that is probably a sign of a simple round-robin algorithm.

And you did not mention if there was a load balancer in which case you need to look at your load balancer for why it is doing what it is doing.

Learn about load balancing algorithms from our recent ISE Webinar :

▷ Cloud Load Balancing with ISE 2023/06/15

02:15 What is a proxy server?
03:10 What is a reverse proxy server?
03:49 Load Balancing to many ISE PSNs and Groups
04:44 Load Balancing Methods: Round Robin, Weighted RR, Hash, Least Connections, Least Time to Connect (first byte, last byte), Random

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎08-03-2023 07:04 PM - edited ‎08-03-2023 07:05 PM

auth is at 9:32 session at 9:52, the session doesn't look like its for the same auth, Can you disable suppression for successful authentication and test again. 

-hope this helps-

Go to solution
Arne Bier
VIP
VIP

‎08-06-2023 12:02 AM

With the endpoint data hidden, it's hard to see whether this is the same endpoint. But I assume it is. In that case, the blue icon indicates that this is Accounting (Session) data sent by the network device. Authentication was sent to ISE1, but the RADIUS Accounting was sent to ISE2 - the RADIUS server (ISE) doesn't make that decision - it's the network device that is sending it to a specified RADIUS server. Check whether you have the IP addresses of the ISE servers swapped around for Authentication and Accounting

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Arne Bier

‎08-07-2023 02:16 AM - edited ‎08-07-2023 02:26 AM

Why did I authenticate on ISE2 and connect the session to ISE1?
ISE IP has never changed.
Some devices authenticate with ISE1 and ISE2 alternately.
Devices all tried to connect with one SSID.

SJ_ISE.png

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎08-07-2023 03:06 AM

Maybe the Meraki is configured for load balancing. ?

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-23-2023 03:26 PM

RADIUS is a request/response protocol so your network devices are the ones requesting an authentication of an endpoint by ISE.

ISE has no control over which RADIUS server instance the network device (Meraki in this case) is going to send the request to. If you list both of your ISE instances in Meraki, it is free to choose either one. Every network device may implement a different algorithm for which server it uses. If you see alternate authentication requests by the same network device, that is probably a sign of a simple round-robin algorithm.

And you did not mention if there was a load balancer in which case you need to look at your load balancer for why it is doing what it is doing.

Learn about load balancing algorithms from our recent ISE Webinar :

▷ Cloud Load Balancing with ISE 2023/06/15

02:15 What is a proxy server?
03:10 What is a reverse proxy server?
03:49 Load Balancing to many ISE PSNs and Groups
04:44 Load Balancing Methods: Round Robin, Weighted RR, Hash, Least Connections, Least Time to Connect (first byte, last byte), Random

0 Helpful
Customers Also Viewed These Support Documents