Solved: How to make ISE go into a Maintenance Mode

Arne Bier · ‎01-20-2020

Hello

Does anyone have a recommendation of how to mimic a Maintenance Mode in ISE to ensure that NAS devices don't use the PSN when the node is in a state where it should not be processing RADIUS/TACACS+ requests? e.g. NAS is configured for ISE01 as Primary and in the event that ISE01 is rebuilt with a clean config, as soon as the ISE application on ISE01 has started up, it will respond to RADIUS requests - but since the config is not yet complete/correct (factory default), the NAS authentications will constantly fail. If the network has a lot of NAS devices, then it may not be feasible to temporarily remove ISE01 from the list of RADIUS servers.

In such an instance , it would be nice to tell the node to not process any requests until told to do so. It allows the NAS to continue using its remaining RADIUS/TACACS+ servers while the new PSN is registered etc.

One obvious suggestion would be to disable ISE Session Services as soon as the GUI is available - disabling Session Services performs an application restart - but at least then it will stop responding to requests until services are re-enabled.

I have not tried registering a node in that state (Session Services disabled) to a PAN to see whether Session Services are enabled again by default - but this might do the trick. Slow and tedious.

Another approach that I have used in the past was to configure the Policy Set on the newly built (standalone node) to DROP all requests, while I get things ready to register the new node to the PAN. That brings quick relief and forces the NAS to use other RADIUS servers in the list.

Having a maintenance mode would be quite useful.

Anyone else come across this on production networks?

Arne Bier · ‎01-21-2020

Yes @Damien Miller - if I had a load balancer I would plan to remove it from the pool. However I recall an interesting discussion with a server admin ages ago, who asked whether ISE had a Maintenance Mode, because they did that with their MS servers to inform the LB to remove the member from the pool. No need to manually do that in the LB (although, you can of course do this manually).

I had another idea - if it's RADIUS you want to turn off (i.e. make ISE ignore all requests), then simply change the UDP ports in the config.

View solution in original post

Francesco Molino · ‎01-20-2020

Hi

On all deployment i do, devices are configured to access a dedicated nic on ise which allows to put a route to null0 or shutdown the interface and not getting any requests on ise.
For those not having multiple nic i do the same as you meaning dropping requests while it finishes.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Damien Miller · ‎01-20-2020

With load balancers this becomes pretty easy since you can manually mark nodes down for client requests.

It further adds a bit of sanity when I sleep if the deployment uses AD service accounts for the health check. If a node has an odd failure, or isn't able to service auth properly right through to AD, then it is pulled out of the pool.

I like Francesco's strategy, interesting idea.

Arne Bier · ‎01-21-2020

Yes @Damien Miller - if I had a load balancer I would plan to remove it from the pool. However I recall an interesting discussion with a server admin ages ago, who asked whether ISE had a Maintenance Mode, because they did that with their MS servers to inform the LB to remove the member from the pool. No need to manually do that in the LB (although, you can of course do this manually).

I had another idea - if it's RADIUS you want to turn off (i.e. make ISE ignore all requests), then simply change the UDP ports in the config.