ISE Deployment - process RADIUS/TACACS on remote (secondary) ISE node

newbieftd · ‎04-25-2022

We have a distributed deployment, with HA pair in Corp, and secondary nodes in remote offices.

We use ISE for TACACS (for NADs), and RADIUS (for user VPN/Wireless).

The Primary (HA pair), have RADIUS Sequence to forward to RADIUS/DUO proxy (located in Corp office).

We have a Site-to-Site VPN between offices, but if the Site-to-Site goes down, user can't initial a new VPN session (can't reach HA pair, and forward the RADIUS request). Same is true for TACACS, TACACS request is also tied to DUO/RADIUS proxy.

What I need is for each site to be independent of the Site-to-Site VPN status.

Can someone point me to documentation on how to configure my Secondary ISE nodes to process a RADIUS Sequence locally, and forward to a local DUO Proxy server.

Thanks-

Arne Bier · ‎04-26-2022

The failover logic doesn't lie in the ISE PSN (RADIUS) nodes. It lies with the network authenticating servers, like the Duo RADIUS proxy. If auth requests to the Primary ISE PSN time-out because that PSN is not replying (WAN down) then the Duo RADIUS proxy should have the local PSN node as its secondary. Unless I misunderstood your question.

Or better still ... for optimisation, if you have a local PSN as a first choice, then use it as the first choice. If that PSN is down for maintenance (patching) then the Duo proxy should use the PSN over the WAN.

Every PSN in a deployment that has RADIUS Services enabled, will have the same Policy Set Logic. It's up the the NAD (Network Access Device) to choose which PSN(s) to use in the primary, secondary, tertiary case.