cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2679
Views
10
Helpful
6
Replies
Highlighted
Beginner

Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

Hi,

How exactly failover works between two branches of ISE distributed ISE deployment ?

I have a requirement in ISE distributed deployment between two branches of an organization:

What i want to achieve is: failover between Branch Office1 in India and Branch Office2 in USA

Branch1 users connecting through local switch to IND-ISE, and Branch2 users connecting through local switch to US-ISE.

I have imported certificate from Branch2 and installed in Branch1. Now i have made Branch1 as primary and Branch2 as secondary node under the deployment option.

My requirement is, if the US-ISE node fails in Branch2, all the users should fall back to IND-ISE node in Branch1 so that the users in Branch2 can still have authenticated access with the respective authorization policies be applied based on the roles defined.

Few document says ISE has three nodes in general Admin node, Monitoring node and PSN node. However, while installing ISE we dont install it separately and we donot assign individual IP address to these 3 nodes individually. Can someone give more clarity on this ?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Pradeep,

You can find more information about ISE personas (node types) here and more information about how failover for the admin node here.  The administration guide has a lot of good information about setting up ISE in a distributed deployment.

Regards,

-Tim

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Hi Pradeep,

You can find more information about ISE personas (node types) here and more information about how failover for the admin node here.  The administration guide has a lot of good information about setting up ISE in a distributed deployment.

Regards,

-Tim

View solution in original post

Highlighted

Hi Tim,

Thanks for the response. I did refer these docs before posting my question. It didn't answer my specific scenario in the question.

Thanks again,

Pradeep

Highlighted

Pradeep,

A distributed deployment has at minimum of 4 nodes:

2x Admin+MnT (each one phyiscal server or VM)

2x PSN (each one physical server or VM)

From an authentication perspective, the PSNs can failover and back in a number of ways.  Either behind a load balancer or configured as primary and secondary RADIUS servers on the switch.  Please see the section "Small Network Deployments" starting on page 5 of the document below:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGui…

Regards,

-Tim

Highlighted

Hi Tim,

i have similar question. in my environment, i have F5 LB for PSN traffic. when we tested PSN authentication traffic failover, there are 2 issues we try to understand:

1) when fail happened, all traffic sent to 2nd Radius server configured on Switch, which is correct. But after the 1st server recovery from failure, switch still keep sending authentication to the 2nd Radius server. Do you know why switch still use 2nd server instead fallback to 1st one?

2) when we shut down 1 PSN behind F5, switch seems thing the whole PSN group is down and shift to 2nd Radius server IP configured on switch. Is this normal?

Highlighted

Hi,

Craig has some really great content on that subject and I think it will help you out.  Check out our ISE Load Balancing content here:  ISE Load Balancing

Regards,

-Tim

Highlighted

Thanks, Tim.

i will take look.

Also I think the answer of my Q1 is the feature " radius-server retry method reorder " needs to be disabled.

Content for Community-Ad