This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
How exactly failover works between two branches of ISE distributed ISE deployment ?
I have a requirement in ISE distributed deployment between two branches of an organization:
What i want to achieve is: failover between Branch Office1 in India and Branch Office2 in USA
Branch1 users connecting through local switch to IND-ISE, and Branch2 users connecting through local switch to US-ISE.
I have imported certificate from Branch2 and installed in Branch1. Now i have made Branch1 as primary and Branch2 as secondary node under the deployment option.
My requirement is, if the US-ISE node fails in Branch2, all the users should fall back to IND-ISE node in Branch1 so that the users in Branch2 can still have authenticated access with the respective authorization policies be applied based on the roles defined.
Few document says ISE has three nodes in general Admin node, Monitoring node and PSN node. However, while installing ISE we dont install it separately and we donot assign individual IP address to these 3 nodes individually. Can someone give more clarity on this ?
Solved! Go to Solution.
Thanks for the response. I did refer these docs before posting my question. It didn't answer my specific scenario in the question.
A distributed deployment has at minimum of 4 nodes:
2x Admin+MnT (each one phyiscal server or VM)
2x PSN (each one physical server or VM)
From an authentication perspective, the PSNs can failover and back in a number of ways. Either behind a load balancer or configured as primary and secondary RADIUS servers on the switch. Please see the section "Small Network Deployments" starting on page 5 of the document below:
i have similar question. in my environment, i have F5 LB for PSN traffic. when we tested PSN authentication traffic failover, there are 2 issues we try to understand:
1) when fail happened, all traffic sent to 2nd Radius server configured on Switch, which is correct. But after the 1st server recovery from failure, switch still keep sending authentication to the 2nd Radius server. Do you know why switch still use 2nd server instead fallback to 1st one?
2) when we shut down 1 PSN behind F5, switch seems thing the whole PSN group is down and shift to 2nd Radius server IP configured on switch. Is this normal?
Craig has some really great content on that subject and I think it will help you out. Check out our ISE Load Balancing content here: ISE Load Balancing
i will take look.
Also I think the answer of my Q1 is the feature " radius-server retry method reorder " needs to be disabled.