01-29-2018 04:53 AM
Hello,
We had recently experienced a situation where the ISE was having issue reaching one of the Domain Controllers (DCs) for authentication and was not able to fail-over to another one. The ISE was however seeing the RADIUS server as active but the DC was down. This caused the authentication to fail completely for several sites.
How to design the ISE setup to avoid such issues in the future?
Thanks
Solved! Go to Solution.
01-29-2018 07:45 AM
Recommendation will be to configure your active directory services to be redundant. If ISE is failing to authenticate users against one domain controller then it should switch to another domain controller depending on what your domain services return as the domain controller
Another option is to configure your switch with a radius test user in the domain. If that were to fail and you could fill open with critical auth services on the switch
01-29-2018 07:06 AM
Saif-
you would need multiple ISE servers, with each using a different domain controller. The main settings will be on the switches defining the RADIUS and timeouts. (something like below)
radius server RADIUS1
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
timeout 15
retransmit 3
key "RADIUS passphrase"
!
radius server RADIUS2
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
timeout 15
retransmit 3
key "RADIUS passphrase"
aaa group server radius RADIUS
server name RADIUS1
server name RADIUS2
ip radius source-interface vlan x
deadtime 15
aaa server radius dynamic-author
client x.x.x.x server-key "RADIUS passphrase"
client x.x.x.x server-key "RADIUS passphrase"
radius-server dead-criteria time 10 tries 3
01-29-2018 12:10 PM
Vince, the template I have been using in my environment is the same as mentioned by you. The only thing I am are the below two commands:
1. retransmit
2. timeout
01-29-2018 12:24 PM
Saif-
on your core switch run the command:
sh aaa server
(this should show multiple servers ) you should also see : State: current UP
as for the ISE end, i believe I have seen issues with some Server 2012R2 DC's because of SMB versions, but i have had no issues with 2010 DC's. Check If you can see that the AD connector is good in ISE, and you can query the AD groups. I can't remember if ISE 1.4 has the "Diagnostic Tool" to test DNS, LDAP, Kerberos and System health as it does in ISE 2.x
Vince
01-29-2018 07:45 AM
Recommendation will be to configure your active directory services to be redundant. If ISE is failing to authenticate users against one domain controller then it should switch to another domain controller depending on what your domain services return as the domain controller
Another option is to configure your switch with a radius test user in the domain. If that were to fail and you could fill open with critical auth services on the switch
01-29-2018 12:16 PM
Jason,
The AD has been configured with redundancy, with 3 inherent DCs. However, for ISE the RADIUS server is up and active but the DC is dead and for some reason the ISE is unable to fail over to another DC unless ISE is rebooted.
Hslal, We already have the plan to upgrade to a later version but for now we have started to face this this issue more frequently and need to return to a stable state before going for the upgrade
01-29-2018 10:46 AM
It would be good to understand why DC failover not happening. As Jason suggested, ensure AD infrastructure already properly configured with Sites and Services with good redundancy. If that already checked ok, then please engage Cisco TAC to see if it an ISE bug and if a patch available for it.
Cisco ISE 1.4 EoS/EoL shows only Severity-1 and security vulnerability bugs are being addressed so please do plan to upgrade in the near future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide