11-06-2016 09:13 PM - edited 03-11-2019 12:12 AM
Hi All,
We are running ISE 2.1 Patch 1 and ran into an interesting problem yesterday where our Primary PSN dis-joined from the domain which meant our SOE machines were failing 802.1X and falling back to MAB.
Are there any other failover mechanisms for AD authentication (short of failing over to the secondary PSN) that we can implement if this was to happen again? Has this happened to anyone before?
Thanks,
James
Solved! Go to Solution.
11-07-2016 12:53 AM
Hi James,
If your PSN got disconnected from AD domain. But the PSN is still active. Failover will happen when primary PSN gets down then it will failover to next configured PSN on NAD.
However, if you can use identity store sequence in ISE in order to move from AD to LDAP/internal/RSA as per your configuration.
Hope it helps!!!
Regards
Gagan
ps : rate if it helps!!!
11-07-2016 12:53 AM
Hi James,
If your PSN got disconnected from AD domain. But the PSN is still active. Failover will happen when primary PSN gets down then it will failover to next configured PSN on NAD.
However, if you can use identity store sequence in ISE in order to move from AD to LDAP/internal/RSA as per your configuration.
Hope it helps!!!
Regards
Gagan
ps : rate if it helps!!!
11-07-2016 02:00 AM
Hi Gagan,
What if we are only using AD, what are our options if our primary PSN is removed from the domain and the node is still active? Can we use different AD join points or sequences?
Thanks,
James
11-07-2016 04:37 AM
James,
You can have multiple AD joint points for different domains. You can use those as store sequence in case of one AD failover.
Regards
Gagan
ps : rate if it helps!!!
11-07-2016 12:22 PM
Thanks Gagan,
LDAP looks like it will overcome and provide a failover if the PSN is dis-joined from the domain.
James
11-07-2016 12:29 PM
Your welcome:).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide