cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1501
Views
0
Helpful
4
Replies

ISE 2.4 HA Deployment with failover test

Noffal
Level 1
Level 1

Hi,

 

I have 2 nodes ISE which register each other, I try to do failover test with disconnecting the primary node from network. but the client was not able to do posture with this situation. I also try 'test aaa' on my switch to ensure where the authentication pointing is and the result is the authentication went to secondary node but the client provisioning page was not appear. Any other HA configuration beside registering the secondary node?

 

Another question is, what is the normal condition if I deploy 2 node ISE which register each other, then I disconnect the primary node. Is it client still can do posture? or we need to promote the secondary to primary first that the client can connect? (assumption primary node contain primary administration, monitoring and policy service, the secondary node contain secondary administration, monitoring and policy service).

 

Here attach deployment node setting and AAA testing on switch capture.

 

Any comments would be appreciated!

 

Thanks,

 

1 Accepted Solution

Accepted Solutions

Simplify your redirect ACL by just using one deny statement for each ISE PSN.  You don't need to be specific on the ports/protocols since this is just a redirect ACL, not a security/protection ACL.  Also, try putting a "permit tcp any any eq 80" and "permit tcp any any eq 443" at the end of the ACL before your "permit ip any any".

View solution in original post

4 Replies 4

Colby LeMaire
VIP Alumni
VIP Alumni

It should work with posture since nothing new is being created that would need to be added to the database.  In your authorization profile, are you using a static IP/FQDN for the redirection?  If not, then the authenticating PSN should be the one that provides the redirection URL with its own information in the redirection URL.

Yes, there is not using static IP/FQDN for redirection. But, why the client provisioning portal cannot appear? I try to test aaa on switch for ensure that client authenticatie to secondary node and its correct (in my previous attachment). Here attached my ACL redirection for posture in WLC and switch.

Simplify your redirect ACL by just using one deny statement for each ISE PSN.  You don't need to be specific on the ports/protocols since this is just a redirect ACL, not a security/protection ACL.  Also, try putting a "permit tcp any any eq 80" and "permit tcp any any eq 443" at the end of the ACL before your "permit ip any any".

hslai
Cisco Employee
Cisco Employee

Colby.LeMaire is correct. The ACL can be simplified.

As to why the client not displaying the client provisioning portal, please debug it step-by-step:

  • Ensure it working with the primary ISE
  • Ensure the client web browser not configured for web proxy. After entering a web URL http://x.y.z:80, DNS is resolved and the switch is returning the web redirect URL to ISE.
  • Ensure the client able to resolve the ISE FQDN.
  • Ensure all the ports are open to ISE

There are different ways to debug such issues. I usually use "telnet", wireshark, and the dev tool on the browser.