Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
3
Replies

ise 1.3 psn redundancy

Go to solution
Augustgood
Level 1
Level 1

‎08-06-2015 10:08 PM - edited ‎03-10-2019 10:57 PM

hi,

in my environment i have many remote site with one psn,  can be possible create for redundancy purpose a psn group with primary and secondary node and the remote psn? my problem ... the node are on different subnet..

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-07-2015 07:14 AM

There are several options for PSN redundancy.

You can use a load balancer (with or without a node group), or just multiple PSNs with different NADs pointing to one or another as the first in the list the the less preferred ones listed as secondary, tertiary, etc.

As of ISE 1.3, node group members no longer need to be in the same subnet (or with TTL=2 reachability) but it's still a recommendation that they be withing the same high speed network for replication purposes.

So for your scenario, the latter method is probably indicated. Have a look at Cisco Live presentation BRKSEC-3699 and search for "NAD-based RADIUS Server Redundancy" for more details.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-07-2015 07:14 AM

There are several options for PSN redundancy.

You can use a load balancer (with or without a node group), or just multiple PSNs with different NADs pointing to one or another as the first in the list the the less preferred ones listed as secondary, tertiary, etc.

As of ISE 1.3, node group members no longer need to be in the same subnet (or with TTL=2 reachability) but it's still a recommendation that they be withing the same high speed network for replication purposes.

So for your scenario, the latter method is probably indicated. Have a look at Cisco Live presentation BRKSEC-3699 and search for "NAD-based RADIUS Server Redundancy" for more details.

0 Helpful

Go to solution
Augustgood
Level 1
Level 1
In response to Marvin Rhoads

‎08-10-2015 08:06 AM

ok, i can use on my remote nad a local psn, if this fail the nad send request to other psn, i can use the primary node ? in my environment i have a primary node persona with admin and psn and monitoring backup.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Augustgood

‎08-10-2015 08:16 AM

Yes, that's correct.

WLCs and (by default) switch IOS will always use the first listed RADIUS server (PSN) and only fall back to the second one in the event of a failure.

IOS can optionally do RADIUS server load balancing at the NAD level. See this document (among others) for details. 

0 Helpful
Customers Also Viewed These Support Documents