Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
17
Helpful
5
Replies

High Availability for AD or LDAP servers in distributed ISE environment

Go to solution
umahar
Cisco Employee
Cisco Employee

‎05-14-2018 02:25 PM

Hi experts,

How is high availability between PSNs and local AD/LDAP maintained ?

In a distributed environment we add the fqdn of the domain on Admin Node and then all PSNs get joined to their local domain controller.

If that local domain controller fails does the PSN automatically joins the next domain controller in the DNS response ?

Do we need to register the PSN again when that failure happens ?

Appreciate if you can comment on various challenges in achieving high availability between ISE and AD/LDAP servers in a distributed environment.

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to umahar

‎05-14-2018 04:09 PM

LDAP supports secondary server per PSN as well as a "force reconnect" option to periodically update DNS reply.  LDAP targets can point to real server or LB VIP.  See BRKSEC-3699 posted to ciscolive.com for more info on LDAP HA.

View solution in original post

5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-14-2018 02:32 PM

Specific to integration with AD join points, yes, ISE will try the next domain controllers as defined by Active Directory Site and Services.

As to LDAP, the HA is achieved by enabling secondary server.

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to hslai

‎05-14-2018 02:55 PM

If the LDAP is defined by just one FQDN how would we add the secondary server ?

Customer has mentioned that DNS will return more than one IPs (primary and secondary ldap) for that FQDN.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to umahar

‎05-14-2018 04:09 PM

LDAP supports secondary server per PSN as well as a "force reconnect" option to periodically update DNS reply.  LDAP targets can point to real server or LB VIP.  See BRKSEC-3699 posted to ciscolive.com for more info on LDAP HA.

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎05-14-2018 04:32 PM

Thanks Craig.

Do you know if ACS also supports these failover scenarios for AD and LDAP ?

Customer has ACS 5.8 but I am first trying to understand how its done in ISE and explore the same in ACS.

Thanks,

Utkarsh

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to umahar

‎05-14-2018 07:41 PM

Force reconnect every N seconds

Check this check box and enter the desired value in the Seconds text box to force the server to renew LDAP connection at the specified time interval. The valid range is from 1 to 60 minutes.


available in ISE 2.1+ only, but not in any of ACS 5.x. ACS 5.x does support 2nd LDAP server and the option for "Enable Deployment Configuration", which is equivalent to "Specify server for each ISE node" in ISE 2.2+.

Customers Also Viewed These Support Documents