cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1355
Views
10
Helpful
1
Replies

ISE Failover not working for Cisco Router & Switch but working fine with Fortinet Firewall

IEprashant
Level 1
Level 1

We have three ISE nodes,

 

AN-PRI-ISE

Primary ISE at DC

all personas enabled ie. Admin, PSN & MnT

AN-SEC-ISE

Secondary at DC

all personas enabled ie. Admin, PSN & MnT

DR-ISE

Health Check Node at DR

only PSN is enabled

 

We are using ISE 2.4 with Patch 10

 

Below described issues :

Whenever failover happens, our Cisco router & switch are not able to authenticate with secondary or DR ISE. The order in which Tacacs servers have been configured, the switch  & router tries to hit only ISE which is configured at the top.

For example : 

CASE 1-

aaa group server tacacs+ default
 server name PRI-ISE.xx.org
 server name SEC-ISE.xx.org
 server name DR-ISE.xx.org

the switch/route will hit only primary ISE

CASE 2- similarly,  if the order is 

aaa group server tacacs+ default
 server name SEC-ISE.xx.org
 server name PRI-ISE.xx.org
 server name DR-ISE.xx.org

then switch/router will hit only secondary ISE but not PRIMARY or DR.


Another thing, in case of failover,  Router/Switches are not going to secondary or DR ISE for authentication, during this time devices get login with LOCAL credential however just when we run any command on them, router/switch immediately communicates with Secondary or DR ISE for authorization and thus authorization gets failed due to the wrong username

that means during failover, router & switch cannot authenticate with secondary ISE or DR ISE but try to authorize with them whenever we execute any commands while we log in with LOCAL credential.

I have attached router/Switch Tacacs configuration, Show tech Output

1 Reply 1

Bro If I am right the solution here is dead time and dead criteria must config in Router and SW.