01-31-2019 07:01 AM
I use ISE in a distributive deployment.
The NAD in question is configured with two radius server IP's. (Radius 1 (local PSN) > Radius 2 (Backup PAN))
I can reach both my local psn and remote pan ise nodes from this nad. (i can ping both ISE nodes with no problem)
I can even authenticate with the nad device. The live radius logs show the device authentication successfully. My issue is that its authenticating with the wrong policy server. The authentication request is sent to the remote policy server (backup) and not using the local policy server.
i would expect the authentication request to use the local policy server and not the remote policy server.
ideas?
01-31-2019 08:08 AM
- Depends on the configuration of the NAD , check the how the PSN's are configured and the priority-order.
M.
01-31-2019 09:03 AM
01-31-2019 10:04 AM
when we use server groups thats how we set it up. but this device uses radius-server host
AAA Configuration
radius-server host 10.100.100.100 (local ise node)
radius-server host 10.200.200.200 (remote ise node)
aaa authentication login default radius local
radius-server key 7 <key here>
its for soem reason skipping the 10.100.100.100 and going right too 10.200.200.200 which doesnt make any sense when i can ping 10.100.100.100. I know the device can reach the local ise node
01-31-2019 02:20 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide