07-12-2024 03:27 AM
Hi everyone,
we have an issue with an ISE deployment for a customer and Cisco TAC is currently unable to help us...
The customer is using 4 virtual ISE nodes with 2x PAN/Mnt and 2x PSN on Version 3.2 Patch 5.
After an update or simple restart of the primary PSN (first on the switches) the switches do a failover to the second PSN as they should. But when the primary PSN is started again there is a small time frame where the PSN is accepting RADIUS requests again and is marked as alive but rejects our MAB request since the endpoint isn't found in the internal database. On the next reauthentication the request is accepted.
So the PSN node is answering radius request even when the internal MAB database isn't available yet after rebooting. This causes devices that get reauthenticated to receive a wrong vlan which causes outages for our customer.
Has anyone seen this before and has a solution for this problem? Cisco TAC told us to modify the dead-timer on the switch or block access to this node till it's full up again but thats not really a solution for the problem.
Thanks in advance!
07-12-2024 03:54 AM
>...Cisco TAC told us to modify the dead-timer on the switch or block access to this node till it's full up again but thats not really a solution for the problem.
I can assume that the blocking access solution is not feasible , but what's wrong with the dead-timer option ?
M.
07-15-2024 07:46 AM
Hi marce1000. Thanks for your reply.
Of course it's an option and we already have 5 Minutes configured but we don't want to extend the dead-timer to an unreasonable value. If we increase the timer to 10 minutes and ISE needs 9.5 Minutes to reboot we'll experience the same issue.
If we increase the dead-timer even further it could be a problem when upgrading/rebooting the nodes and we need to wait for the dead-timer to end.
Also the automate-tester marks the ise alive even when ise isn't completely ready...
07-15-2024 07:54 AM
For me what I think is happened is
User is auth via mab in one ise
And other ise is auth via mab and guest policy set.
The policy set must config with order and with conditions to eliminate this case
Guest auth use mab as first authc and it add unknown mac to internal db of ise
Mab authc use known mac to authc.
That why the ise re-authc mab device with authz wrong vlan
MHM
07-18-2024 05:04 AM
Hi,
sorry but i don't really understand your response. Both PSN Nodes are in the same deployment and the MAC is present in the internal Database and assigned to the correct groups. There is only one MAB ruleset for internal devices and no "guest authentication".
The nodes responds with "AuthenticationResult=UnknownUser" for some time after reload. And works fine after some minutes.
Thanks in advance!
07-18-2024 05:10 AM
there is
1-Wireless Guest Authc which use two authc
A- first MAB with unknownUser add to specific group
B- portal
2-Wired MAB
which need user add to internal ISE
I think the wired MAB is auth via guest Authc not via Wired MAB
you need to separate wireless than wired
are you use wireless Guest ?
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide