Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
3
Helpful
13
Replies

ISE Deploymet - which ise has processed the request

Go to solution
mgollob
Level 1
Level 1

‎01-08-2024 01:29 AM

Hello,

I have an ISE deployment consisting of 2 nodes. However, for the policy set I need to know which ISE processed the request. If I look in the Radius log, there is a Policy Server item and then the host name of the ISE. How can I check in my Authorization Profile which ISE has processed it so that I can return a different result?

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to mgollob

‎01-08-2024 03:04 AM

For redundancy, you want both ISEs to behave in the same way. For the redirect, by default, the ISE uses the FQDN of the ISE that handles the request. No need to configure two different authorization profiles.

View solution in original post

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-08-2024 07:52 AM

In the ISE LiveLogs, there is a Server column that tells you clearly by name which ISE node/PSN handled the request. Make sure you have the column enabled and you may need to scroll far to the right to see it for a LiveLog entry.

thomas_0-1704728653794.png

As others have mentioned, you typically want your policy to be consistent between all ISE nodes otherwise it can be complicated.  However, if you are absolutely certain you want this, you may create a Policy Set Authorization Rule that uses the condition Network Access:ISE Hostname EQUALS ise-name

thomas_1-1704728963689.png

 

 

View solution in original post

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎01-08-2024 09:03 AM

@MHM Cisco World , you want multiple ISE nodes for AAA (RADIUS/TACACS+) service redundancy. 

ISE is not a load balancer and will not magically forward or balance requests between two ISE nodes. For this you still need an actual load balancer. Watch the ISE Webinar ▷ Cloud Load Balancing with ISE for more details and examples.

If your network devices send all requests to the same ISE node without a load balancer, only one ISE node will receive and handle the requests.

View solution in original post

0 Helpful
13 Replies 13

Go to solution
marce1000
VIP
VIP

‎01-08-2024 01:33 AM

 

 - The need for this requirement is unclear for me and not possible because from Policy (policies) Server (implemented) to handling is a one way flow      ;  please elaborate if needed , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-08-2024 01:36 AM - edited ‎01-08-2024 04:07 AM

check below 

MHM

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-08-2024 01:45 AM

Try "ISE Host Name" from the "Network Access" directory. But you should better tell what you want to achieve. My first impression is that it is likely a horrible idea that you have here.

Go to solution
mgollob
Level 1
Level 1
In response to Karsten Iwen

‎01-08-2024 02:29 AM

I am in the process of implementing an ISE Guest solution and have a deployment with 2 nodes. I need 2 authorization profiles, each with a different redirect link to the guest portal, depending on which ISE is processing the request and therefore I need to know which PSN is processing it so that I can provide the correct link. It is for redundancy reasons.

 

Go to solution
MHM Cisco World
VIP
VIP
In response to mgollob

‎01-08-2024 02:45 AM

so your NAD is WLC 
do you config both ISE under WLAN ?
MHM

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mgollob

‎01-08-2024 03:04 AM

For redundancy, you want both ISEs to behave in the same way. For the redirect, by default, the ISE uses the FQDN of the ISE that handles the request. No need to configure two different authorization profiles.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mgollob

‎01-08-2024 03:50 AM

you are correct 
let me check this point 
FQDN is not relate to this case 
MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mgollob

‎01-08-2024 04:06 AM

https://community.cisco.com/t5/network-access-control/ise-2-1-multiple-psns-with-cwa-guest-without-load-balancer/td-p/3534288

as I mention you are correct 
the issue is two ISE need load balance 
if there is no then you need two authz profile 
check link I share 
the FQDN is not relate to anything here 

MHM

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-08-2024 07:52 AM

In the ISE LiveLogs, there is a Server column that tells you clearly by name which ISE node/PSN handled the request. Make sure you have the column enabled and you may need to scroll far to the right to see it for a LiveLog entry.

thomas_0-1704728653794.png

As others have mentioned, you typically want your policy to be consistent between all ISE nodes otherwise it can be complicated.  However, if you are absolutely certain you want this, you may create a Policy Set Authorization Rule that uses the condition Network Access:ISE Hostname EQUALS ise-name

thomas_1-1704728963689.png

 

 

0 Helpful

Go to solution
mgollob
Level 1
Level 1
In response to thomas

‎01-08-2024 07:58 AM

 

thank you very much yes this solution also worked for me, but I don't need it anymore because Karsten Iwen's answer worked perfectly. I just removed the static entry and it automatically uses the PSN from which the request is processed

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to thomas

‎01-08-2024 08:04 AM

Sorry @thomas 

So can confirm that he can use both ISE as redundacy for CWA without F5 ?

Thanks alot 

MHM

0 Helpful

Go to solution
mgollob
Level 1
Level 1
In response to MHM Cisco World

‎01-08-2024 08:10 AM

yes, no load balancer is needed for the guest portal, as long as it is okay to have two different domains. Depending on which ISE is processing the request, the correct fqdn will be returned if it has not been entered statically. If this is entered statically, you can do it with a second authorization profile and a check with the hostname and return a different redirect link.

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎01-08-2024 09:03 AM

@MHM Cisco World , you want multiple ISE nodes for AAA (RADIUS/TACACS+) service redundancy. 

ISE is not a load balancer and will not magically forward or balance requests between two ISE nodes. For this you still need an actual load balancer. Watch the ISE Webinar ▷ Cloud Load Balancing with ISE for more details and examples.

If your network devices send all requests to the same ISE node without a load balancer, only one ISE node will receive and handle the requests.

0 Helpful
Customers Also Viewed These Support Documents