Solved: ISE Deploymet - which ise has processed the request

mgollob · ‎01-08-2024

Hello,

I have an ISE deployment consisting of 2 nodes. However, for the policy set I need to know which ISE processed the request. If I look in the Radius log, there is a Policy Server item and then the host name of the ISE. How can I check in my Authorization Profile which ISE has processed it so that I can return a different result?

Karsten Iwen · ‎01-08-2024

For redundancy, you want both ISEs to behave in the same way. For the redirect, by default, the ISE uses the FQDN of the ISE that handles the request. No need to configure two different authorization profiles.

View solution in original post

thomas · ‎01-08-2024

In the ISE LiveLogs, there is a Server column that tells you clearly by name which ISE node/PSN handled the request. Make sure you have the column enabled and you may need to scroll far to the right to see it for a LiveLog entry.

As others have mentioned, you typically want your policy to be consistent between all ISE nodes otherwise it can be complicated. However, if you are absolutely certain you want this, you may create a Policy Set Authorization Rule that uses the condition Network Access:ISE Hostname EQUALS ise-name .

View solution in original post

thomas · ‎01-08-2024

@MHM Cisco World , you want multiple ISE nodes for AAA (RADIUS/TACACS+) service redundancy.

ISE is not a load balancer and will not magically forward or balance requests between two ISE nodes. For this you still need an actual load balancer. Watch the ISE Webinar ▷ Cloud Load Balancing with ISE for more details and examples.

If your network devices send all requests to the same ISE node without a load balancer, only one ISE node will receive and handle the requests.

View solution in original post

marce1000 · ‎01-08-2024

- The need for this requirement is unclear for me and not possible because from Policy (policies) Server (implemented) to handling is a one way flow ; please elaborate if needed ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎01-08-2024

check below

MHM

Karsten Iwen · ‎01-08-2024

Try "ISE Host Name" from the "Network Access" directory. But you should better tell what you want to achieve. My first impression is that it is likely a horrible idea that you have here.

mgollob · ‎01-08-2024

I am in the process of implementing an ISE Guest solution and have a deployment with 2 nodes. I need 2 authorization profiles, each with a different redirect link to the guest portal, depending on which ISE is processing the request and therefore I need to know which PSN is processing it so that I can provide the correct link. It is for redundancy reasons.

MHM Cisco World · ‎01-08-2024

so your NAD is WLC
do you config both ISE under WLAN ?
MHM

Karsten Iwen · ‎01-08-2024

For redundancy, you want both ISEs to behave in the same way. For the redirect, by default, the ISE uses the FQDN of the ISE that handles the request. No need to configure two different authorization profiles.

MHM Cisco World · ‎01-08-2024

you are correct
let me check this point
FQDN is not relate to this case
MHM

MHM Cisco World · ‎01-08-2024

https://community.cisco.com/t5/network-access-control/ise-2-1-multiple-psns-with-cwa-guest-without-load-balancer/td-p/3534288

as I mention you are correct
the issue is two ISE need load balance
if there is no then you need two authz profile
check link I share
the FQDN is not relate to anything here

MHM

thomas · ‎01-08-2024

In the ISE LiveLogs, there is a Server column that tells you clearly by name which ISE node/PSN handled the request. Make sure you have the column enabled and you may need to scroll far to the right to see it for a LiveLog entry.

As others have mentioned, you typically want your policy to be consistent between all ISE nodes otherwise it can be complicated. However, if you are absolutely certain you want this, you may create a Policy Set Authorization Rule that uses the condition Network Access:ISE Hostname EQUALS ise-name .

mgollob · ‎01-08-2024

thank you very much yes this solution also worked for me, but I don't need it anymore because Karsten Iwen's answer worked perfectly. I just removed the static entry and it automatically uses the PSN from which the request is processed

MHM Cisco World · ‎01-08-2024

Sorry @thomas

So can confirm that he can use both ISE as redundacy for CWA without F5 ?

Thanks alot

MHM

mgollob · ‎01-08-2024

yes, no load balancer is needed for the guest portal, as long as it is okay to have two different domains. Depending on which ISE is processing the request, the correct fqdn will be returned if it has not been entered statically. If this is entered statically, you can do it with a second authorization profile and a check with the hostname and return a different redirect link.

thomas · ‎01-08-2024

@MHM Cisco World , you want multiple ISE nodes for AAA (RADIUS/TACACS+) service redundancy.

ISE is not a load balancer and will not magically forward or balance requests between two ISE nodes. For this you still need an actual load balancer. Watch the ISE Webinar ▷ Cloud Load Balancing with ISE for more details and examples.

If your network devices send all requests to the same ISE node without a load balancer, only one ISE node will receive and handle the requests.