cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

265
Views
0
Helpful
6
Replies
Highlighted
Beginner

How to Configure AD Fail over for ISE 1.4?

Hello,

We had recently experienced a situation where the ISE was having issue reaching one of the Domain Controllers (DCs) for authentication and was not able to fail-over to another one. The ISE was however seeing the RADIUS server as active but the DC was down. This caused the authentication to fail completely for several sites.


How to design the ISE setup to avoid such issues in the future?


Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Recommendation will be to configure your active directory services to be redundant. If ISE is failing to authenticate users against one domain controller then it should switch to another domain controller depending on what your domain services return as the domain controller

Another option is to configure your switch with a radius test user in the domain. If that were to fail and you could fill open with critical auth services on the switch

View solution in original post

6 REPLIES 6
Highlighted
Contributor

Saif-

you would need multiple ISE servers, with each using a different domain controller.  The main settings will be on the switches defining the RADIUS and timeouts. (something like below)

radius server RADIUS1

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 15

retransmit 3

key "RADIUS passphrase"

!

radius server RADIUS2

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 15

retransmit 3

key "RADIUS passphrase"

aaa group server radius RADIUS

server name RADIUS1

server name RADIUS2

ip radius source-interface vlan x

deadtime 15

aaa server radius dynamic-author

client x.x.x.x server-key "RADIUS passphrase"

client x.x.x.x server-key "RADIUS passphrase"


radius-server dead-criteria time 10 tries 3

Highlighted

Vince, the template I have been using in my environment is the same as mentioned by you. The only thing I am are the below two commands:

1. retransmit

2. timeout

Highlighted

Saif-

on your core switch run the command:

sh aaa server

(this should show multiple servers ) you should also see : State: current UP

as for the ISE end, i believe I have seen issues with some Server 2012R2 DC's because of SMB versions, but i have had no issues with 2010 DC's.  Check If you can see that the AD connector is good in ISE, and you can query the AD groups.  I can't remember if ISE 1.4 has the "Diagnostic Tool" to test DNS, LDAP, Kerberos and System health as it does in ISE 2.x

Vince

Highlighted
Cisco Employee

Recommendation will be to configure your active directory services to be redundant. If ISE is failing to authenticate users against one domain controller then it should switch to another domain controller depending on what your domain services return as the domain controller

Another option is to configure your switch with a radius test user in the domain. If that were to fail and you could fill open with critical auth services on the switch

View solution in original post

Highlighted

Jason,

The AD has been configured with redundancy, with 3 inherent DCs. However, for ISE the RADIUS server is up and active but the DC is dead and for some reason the ISE is unable to fail over to another DC unless ISE is rebooted.

Hslal, We already have the plan to upgrade to a later version but for now we have started to face this this issue more frequently and need to return to a stable state before going for the upgrade

Highlighted
Cisco Employee

It would be good to understand why DC failover not happening. As Jason suggested, ensure AD infrastructure already properly configured with Sites and Services with good redundancy. If that already checked ok, then please engage Cisco TAC to see if it an ISE bug and if a patch available for it.

Cisco ISE 1.4 EoS/EoL shows only Severity-1 and security vulnerability bugs are being addressed so please do plan to upgrade  in the near future.