02-12-2017 09:10 AM - edited 03-11-2019 12:27 AM
Hi Everyone,
I want to run guest services with 2 node deployment of ISE 2.1.
We don't have load balancer for getting a VIP for the ise
what are the options we do can so we have a high availability of the guest services?
Scenario 1:-
I have read blogs about deploying 2 portal pages redirecting based on the host name of the ISE where the request comes
Scenario 2:-
the ip host command as per documentation "When Cisco ISE processes an authorization profile redirect URL, it replaces the IP address with the FQDN of the Cisco ISE node." --> will this work with google/public dns servers?
also if i make a entry on ise like below will this work?
ise1 :- ip host 10.10.10.1 guestsevice guestservice.cisco.com
ise2 :- ip host 10.10.10.2 guestsevice guestservice.cisco.com
even will we need to different authorization rules and guest portal or one authorization & guest portal can do the work?
Need the best solution?
02-12-2017 06:08 PM
Hi
Using DNS could be a solution. However, the wlc will send the request to 1 ISE and the customer will be redirect on the portal based on fqdn. If you're using round robin you can face an issue: I mean you can be redirected to 1 use while the session is on the 2nd one. In that case, users won't be able to get the portal and authenticate.
You can found some free load balancer on Linux to achieve that goal.
There is also another solution by using anycast capabilities on the routing side.
There is good blog done (I won't re-explain all as it is well described): http://www.networkworld.com/article/3074954/security/how-to-use-anycast-to-provide-high-availability-to-a-radius-server.html
In same cases and based on customer environment I'm using 1 of the other solution.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide