Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
2
Replies

ISE 1.3 CWA failover to secondary node and WLC not changing ACL/redirect

firestartest
Level 1
Level 1

‎06-23-2015 03:59 PM - edited ‎03-10-2019 10:50 PM

Cisco ISE 1.3.


Two nodes (primary and secondary). Wireless Controller SSID for guest authentication using CWA (self registration portal).
The WLC chooses primary ISE for authentication and falls back to secondary if primary down.

We have 2 clients, CLIENT A already self registered and given Internet access, the other CLIENT B is redirected to the guest portal.

Upon failure of primary ISE, secondary one takes over authentications. Because clients are still associated to WLC, the WLC retains session. So CLIENT A keeps Internet access and CLIENT B still has WEBAUTH_REQ (redirect applied).

Problem is CLIENT B tries to refresh browser which is still trying to load portal from ISE 1 (now down). If I turn of client wireless and reconnect the WLC still shows CLIENT B having the same redirect to ISE 1. It should now be applying redirect to ISE 2.

The only way to force the redirect to be ISE 2 is to manually remove the client from the client list on the WLC.

If a new client has not yet associated to the wireless and does so after ISE 1 goes down then it WILL get the correct redirect to ISE 2 because it never had any associated session on the WLC previously.

Its as though the controller caches the last session of the client until manual removal. I've tried enabling the session timeout on WLAN which does work but that means constant reauthentications for all clients at regular intervals.

Is there anyway of getting some automatic process working so that the client will be re-issued with the correct redirect? Am I missing something?

Thanks.

 

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Toi Seng Chang
Level 1
Level 1

‎07-20-2015 07:36 PM

Same result here, we have pair of ISE 1.3 configured as HA, and once the primary ISE down, the secondary ISE cannot show the CWA to new-joined WLAN client browser, before we are considering the radius timeout as we see similiar logs on secondary ISE.

 

But we tried if we promote the secondary ISE to primary, after 15-20 minutes, everything comes back as normal. This is not same as what document said the "promote" is for admin node only. Anyone have tried this setup?

Thanks.

0 Helpful

jan.nielsen
Level 7
Level 7

‎07-21-2015 04:35 PM

As you have discovered the WLC will "cache" the session for as long as the timeout allows, and removing it manually will make it work. ISE does not have any sharing of sessions between the ise nodes, so the second node once used by the WLC will not know that there is some sessions on the WLC, which are not authenticated. One thing that might work (haven't tested it), is making the two ise servers join a node group (under deployment), as i remember it, ise will then disconnect sessions with CoA, that are "in-progress", and not completed, i have not tried this for guest access, but it might work.
 

0 Helpful
Customers Also Viewed These Support Documents