Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
3
Helpful
2
Replies

ISE fall-back

nicanor00
Level 1
Level 1

‎01-21-2014 09:15 AM - edited ‎03-10-2019 09:18 PM

Hi

I have 2 ISE 1.2

I configured ISE1(192.168.1.1) as primary for PAN, MNT and PSN and it work fine

Now I am configuring ISE2(192.168.2.1) as secondary PAN, MNT and PSN

In normal situation, the user are authenticated on ISE1

My goal :

If ISE1 is unavailable, user are authenticated on ISE2

Then as soon as ISE1 become again available, user must be authenticated again on ISE1

I configured it,  but it dont work (see below my configuration)

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key Password123

radius-server host 192.168.2.1 auth-port 1812 acct-port 1813 key Password123

radius-server retry method reorder

radius-server transaction max-tries 3

radius-server retransmit 1

When ISE1 become again available, user remain authenticated on ISE2

How to configure the switch to achieve My goal (ISE1 become again available, user must be authenticated again on ISE1)

Please help

Thanks in advance

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Ravi Singh
Level 7
Level 7

‎01-28-2014 02:36 PM

As per my knowledge When a primary Monitoring ISE node goes down, the secondary Monitoring  ISE node takes over all monitoring and troubleshooting information. The  secondary node provides read-only capabilities, which means you cannot  make configuration changes to that node.

To make configuration changes on the secondary node, the administrator  must first manually promote the secondary node to a primary role. If the  primary node comes back up after the secondary node has been promoted,  it assumes the secondary role. If the secondary node was not promoted,  the primary Monitoring ISE node will resume its role after it comes back  up.

For configuration help you can see the below link

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1087439

jan.nielsen
Level 7
Level 7

‎01-28-2014 04:33 PM

I doubt you can force a re-auth when the first ise becomes available again, but it should change back to it once the re-auth timer expires for the dot1x sessions on the switch, and the client will be re-authenticated.

0 Helpful
Customers Also Viewed These Support Documents