Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1815
Views
10
Helpful
4
Replies

How redundancy works with ISE

Go to solution
jorgeemilio.grillo
Level 1
Level 1

‎02-17-2023 06:08 AM

In the event that I only have 2 active/standby ISEs, the issue of authentication is clear by having several radius servers, but for example, the captive portal that resolves the active ISE's ip?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jorgeemilio.grillo

‎02-19-2023 05:31 AM

@jorgeemilio.grillo Normally you'd rely on an external load balancer.

If you don't not have a LB, you could achieve the samething in ISE. Create 2 authorisation rules, the first authz rule matches on the ISE-1 hostname and returns the ISE-1 portal URL. The second authz rule matches on the ISE-2 hostname and returns the ISE-2 portal URL. So which ever ISE PSN node the connection request is received on ISE will redirect to the correct portal.

Refer to Authorisation Profile and Policy Set section in this example:- https://integratingit.wordpress.com/2020/01/19/ise-guest-access/

 

View solution in original post

4 Replies 4

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-17-2023 11:21 AM

hi @jorgeemilio.grillo , related to the situation you are mentioning  , the node that has the PAN persona enable is the node from where you have to connect in order to see the dashboards and have management, the redundancy occurs when you have another node as SAN persona , in the scenario where the SAN is unavailable you can continue having your management within PAN as recovering the node , if the PAN becomes unavailable what you can do is to promote the SAN node to become a provisional PAN , once this procedure is finished you will recover the management whereas working in the previous PAN node, in any case you don't have to do any changes on the IP of the nodes as the node from where you will have the manageability of ISE is the one that has the PAN enabled as persona, to know more about it please refer to the following cisco live presentation from slide 382 https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3432.pdf 

Let me know if that helped you. 

Go to solution
jorgeemilio.grillo
Level 1
Level 1

‎02-19-2023 03:30 AM

Hi Rodrigo Diaz, Thanks for the answer, it's very valuable, but maybe I didn't ask the question.
My question is about how high availability works for the captive guest portal.
As far as I know, each Active/standby ISE has a different ip, there is a name resolution for the portal url to the active ISE ip, what happens when the active portal does not respond?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jorgeemilio.grillo

‎02-19-2023 05:31 AM

@jorgeemilio.grillo Normally you'd rely on an external load balancer.

If you don't not have a LB, you could achieve the samething in ISE. Create 2 authorisation rules, the first authz rule matches on the ISE-1 hostname and returns the ISE-1 portal URL. The second authz rule matches on the ISE-2 hostname and returns the ISE-2 portal URL. So which ever ISE PSN node the connection request is received on ISE will redirect to the correct portal.

Refer to Authorisation Profile and Policy Set section in this example:- https://integratingit.wordpress.com/2020/01/19/ise-guest-access/

 

Go to solution
jorgeemilio.grillo
Level 1
Level 1

‎02-19-2023 10:25 AM

Thanks for the answer, it is very valuable, It's clearer to me.
thank you so much
Regards

0 Helpful
Customers Also Viewed These Support Documents