Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1656
Views
5
Helpful
6
Replies

How things work out when DC connected to primary ISE gets fail

Go to solution
RohitSingh91693
Level 1
Level 1

‎04-06-2022 01:01 PM

I have 2 ise node which is acting as a PSN and on both node have been integrated with Active directory..now all the dot1x request hitting ISE node 1 because it is acting as primary PSN and ISE sends the query to the domain controller to verify that the user is genuine or not...

But for suppose if the Domain controller establishment to ISE 1 Node gets fail..& if any authentication query which comes in to the ISE 1 because ISE 1 is up & running.. how things will work out.

Do i have to do any routing changes to make sure that any request comes that should hit ISE 2 node.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to RohitSingh91693

‎04-11-2022 08:35 PM

Hi @RohitSingh91693 ,

 please take a look at: BRKSEC-3697 Advanced ISE Services, Tips & Tricks, search for Scaling AD Integration w/ Sites & Services ... the answer to your question is the correct configuration of Site & Services.

 At Administration > Identity Management > External Identity Sources > Active Directory > check the Site column:

Site.png

 

Hope this helps !!!

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-06-2022 02:49 PM

depends on the config and deployment 

 

check the below examples failover to understand how that works :

 

https://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
RohitSingh91693
Level 1
Level 1
In response to balaji.bandi

‎04-08-2022 08:51 AM

Hello Balaji,

 

Actually My ISE Node 1 which is primary is not down only the connection between Domain Controller & ISE 1 is Broken. So how thing will work out, either case ISE 2 have Connectivity with the DC. How I redirect the request for authentication to ISE 2.

 

Lets Suppose i have 2 Node PSN Deployment and 4 Business Unit, Every BU's have their own DC and both PSN have been integrated with 4 BU's DC. Now only one BU DC Connectivity to ISE Primary PSN Which is ISE-1 is Broken. But other 3 BU's users access request is being addressed by Primary PSN (ISE 1) and ISE 1 send  queries to DC which is still alive .

 

How things will work out do i have to Put the Primary ISE 1 Down ? which will also Impact other 3 BU's

or there is other solution.

 

Thanks

Rohit Singh

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎04-07-2022 06:42 AM - edited ‎04-07-2022 06:42 AM

Make sure both PSNs are listed in the Network Devices.  If the connection to the primary PSN fails, the secondary will be used (primary and secondary are determined by the order they are listed in the Network Device).

With a 2 node deployment, if the Primary Policy Admin Node loses connectivity or fails, you must manually promote the Secondary Policy Admin Node to regain Administrative access.

Here is a list of processes available when the Primary Admin node is down - Cisco Identity Services Engine Administrator Guide, Release 3.1 

0 Helpful

Go to solution
RohitSingh91693
Level 1
Level 1
In response to Charlie Moreton

‎04-08-2022 08:51 AM

Hello Charlie,

 

Actually My ISE Node 1 which is primary is not down only the connection between Domain Controller & ISE 1 is Broken. So how thing will work out, either case ISE 2 have Connectivity with the DC. How I redirect the request for authentication to ISE 2.

 

Lets Suppose i have 2 Node PSN Deployment and 4 Business Unit, Every BU's have their own DC and both PSN have been integrated with 4 BU's DC. Now only one BU DC Connectivity to ISE Primary PSN Which is ISE-1 is Broken. But other 3 BU's users access request is being addressed by Primary PSN (ISE 1) and ISE 1 send  queries to DC which is still alive .

 

How things will work out do i have to Put the Primary ISE 1 Down ? which will also Impact other 3 BU's

or there is other solution.

 

Thanks

Rohit Singh

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to RohitSingh91693

‎04-08-2022 10:31 AM

Why is the DC connection down on PSN1?  Fix the issue.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to RohitSingh91693

‎04-11-2022 08:35 PM

Hi @RohitSingh91693 ,

 please take a look at: BRKSEC-3697 Advanced ISE Services, Tips & Tricks, search for Scaling AD Integration w/ Sites & Services ... the answer to your question is the correct configuration of Site & Services.

 At Administration > Identity Management > External Identity Sources > Active Directory > check the Site column:

Site.png

 

Hope this helps !!!

Customers Also Viewed These Support Documents