04-11-2021 11:15 PM
We have three ISE nodes,
AN-PRI-ISE | Primary ISE at DC | all personas enabled ie. Admin, PSN & MnT |
AN-SEC-ISE | Secondary at DC | all personas enabled ie. Admin, PSN & MnT |
DR-ISE | Health Check Node at DR | only PSN is enabled |
We are using ISE 2.4 with Patch 10
Below described issues :
Whenever failover happens, our Cisco router & switch are not able to authenticate with secondary or DR ISE. The order in which Tacacs servers have been configured, the switch & router tries to hit only ISE which is configured at the top.
For example :
CASE 1-
aaa group server tacacs+ default
server name PRI-ISE.xx.org
server name SEC-ISE.xx.org
server name DR-ISE.xx.org
the switch/route will hit only primary ISE
CASE 2- similarly, if the order is
aaa group server tacacs+ default
server name SEC-ISE.xx.org
server name PRI-ISE.xx.org
server name DR-ISE.xx.org
then switch/router will hit only secondary ISE but not PRIMARY or DR.
Another thing, in case of failover, Router/Switches are not going to secondary or DR ISE for authentication, during this time devices get login with LOCAL credential however just when we run any command on them, router/switch immediately communicates with Secondary or DR ISE for authorization and thus authorization gets failed due to the wrong username
that means during failover, router & switch cannot authenticate with secondary ISE or DR ISE but try to authorize with them whenever we execute any commands while we log in with LOCAL credential.
I have attached router/Switch Tacacs configuration, Show tech Output
04-13-2021 04:13 AM
Bro If I am right the solution here is dead time and dead criteria must config in Router and SW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide