cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
5
Helpful
5
Replies

ISE 2.1 LDAP

James Paton
Level 4
Level 4

Hi All,

We are running ISE 2.1 Patch 1 and ran into an interesting problem yesterday where our Primary PSN dis-joined from the domain which meant our SOE machines were failing 802.1X and falling back to MAB.

Are there any other failover mechanisms for AD authentication (short of failing over to the secondary PSN) that we can implement if this was to happen again?  Has this happened to anyone before? 

Thanks,

James

1 Accepted Solution

Accepted Solutions

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi James,

If your PSN got disconnected from AD domain. But the PSN is still active. Failover will happen when primary PSN gets down then it will failover to next configured PSN on NAD.

However, if you can use identity store sequence in ISE in order to move from AD to LDAP/internal/RSA as per your configuration.

Hope it helps!!!

Regards

Gagan

ps : rate if it helps!!!

View solution in original post

5 Replies 5

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi James,

If your PSN got disconnected from AD domain. But the PSN is still active. Failover will happen when primary PSN gets down then it will failover to next configured PSN on NAD.

However, if you can use identity store sequence in ISE in order to move from AD to LDAP/internal/RSA as per your configuration.

Hope it helps!!!

Regards

Gagan

ps : rate if it helps!!!

Hi Gagan,

What if we are only using AD, what are our options if our primary PSN is removed from the domain and the node is still active?  Can we use different AD join points or sequences?

Thanks,

James

James,

You can have multiple AD joint points for different domains.  You can use those as store sequence in case of one AD failover.

Regards

Gagan

ps : rate if it helps!!!

Thanks Gagan,

LDAP looks like it will overcome and provide a failover if the PSN is dis-joined from the domain.

James

Your welcome:).