ā01-09-2020 11:29 PM
Hi,
I have 2 nodes ISE which register each other, I try to do failover test with disconnecting the primary node from network. but the client was not able to do posture with this situation. I also try 'test aaa' on my switch to ensure where the authentication pointing is and the result is the authentication went to secondary node but the client provisioning page was not appear. Any other HA configuration beside registering the secondary node?
Another question is, what is the normal condition if I deploy 2 node ISE which register each other, then I disconnect the primary node. Is it client still can do posture? or we need to promote the secondary to primary first that the client can connect? (assumption primary node contain primary administration, monitoring and policy service, the secondary node contain secondary administration, monitoring and policy service).
Here attach deployment node setting and AAA testing on switch capture.
Any comments would be appreciated!
ć
Thanks,
Solved! Go to Solution.
ā01-11-2020 09:30 AM
Simplify your redirect ACL by just using one deny statement for each ISE PSN. You don't need to be specific on the ports/protocols since this is just a redirect ACL, not a security/protection ACL. Also, try putting a "permit tcp any any eq 80" and "permit tcp any any eq 443" at the end of the ACL before your "permit ip any any".
ā01-10-2020 07:25 AM
It should work with posture since nothing new is being created that would need to be added to the database. In your authorization profile, are you using a static IP/FQDN for the redirection? If not, then the authenticating PSN should be the one that provides the redirection URL with its own information in the redirection URL.
ā01-10-2020 07:33 PM
Yes, there is not using static IP/FQDN for redirection. But, why the client provisioning portal cannot appear? I try to test aaa on switch for ensure that client authenticatie to secondary node and its correct (in my previous attachment). Here attached my ACL redirection for posture in WLC and switch.
ā01-11-2020 09:30 AM
Simplify your redirect ACL by just using one deny statement for each ISE PSN. You don't need to be specific on the ports/protocols since this is just a redirect ACL, not a security/protection ACL. Also, try putting a "permit tcp any any eq 80" and "permit tcp any any eq 443" at the end of the ACL before your "permit ip any any".
ā01-14-2020 04:56 PM
Colby.LeMaire is correct. The ACL can be simplified.
As to why the client not displaying the client provisioning portal, please debug it step-by-step:
There are different ways to debug such issues. I usually use "telnet", wireshark, and the dev tool on the browser.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide