We have three ISE nodes,
AN-PRI-ISE | Primary ISE at DC | all personas enabled ie. Admin, PSN & MnT |
AN-SEC-ISE | Secondary at DC | all personas enabled ie. Admin, PSN & MnT |
DR-ISE | Health Check Node at DR | only PSN is enabled |
We are using ISE 2.4 with Patch 10
Below described issues :
Whenever failover happens, our Cisco router & switch are not able to authenticate with secondary or DR ISE. The order in which Tacacs servers have been configured, the switch & router tries to hit only ISE which is configured at the top.
For example :
CASE 1-
aaa group server tacacs+ default
server name PRI-ISE.xx.org
server name SEC-ISE.xx.org
server name DR-ISE.xx.org
the switch/route will hit only primary ISE
CASE 2- similarly, if the order is
aaa group server tacacs+ default
server name SEC-ISE.xx.org
server name PRI-ISE.xx.org
server name DR-ISE.xx.org
then switch/router will hit only secondary ISE but not PRIMARY or DR.
Another thing, in case of failover, Router/Switches are not going to secondary or DR ISE for authentication, during this time devices get login with LOCAL credential however just when we run any command on them, router/switch immediately communicates with Secondary or DR ISE for authorization and thus authorization gets failed due to the wrong username
that means during failover, router & switch cannot authenticate with secondary ISE or DR ISE but try to authorize with them whenever we execute any commands while we log in with LOCAL credential.
I have attached router/Switch Tacacs configuration, Show tech Output
