Solved: ISE High Availability - 3 Nodes 2x PAN 1x Health Check PAN Failover

neil.garry1 · ‎12-04-2020

Hi I was wondering if anyone could just provide some clarity on an issue we are facing.

We are running ISE3.0 and have 3 Nodes 1 Primary PAN, 1 Secondary PAN and 1 for PAN Failover. All are PSN but the issue we have is that we have one FQDN for our Guest and Corporate WiFi portals.

We are using a cisco WLC 5520 and in the AAA server section added the IP's of our ISE nodes however authentication doesn't work properly if I force my endpoint to go to another ISE node via a host file that doesn't match the SSID AAA Server 1, we get error 400 Malformed or bad request.

Our thinking is because the WLC sees AAA Server 1 as available it passes the request to this node however our client is resolving the FQDN to another node making the bad request

Is our only way to resolve this to put a Load Balancer in front of our ISE servers or do node groups help to alleviate this issue.

Hopefully that makes sense,

Thanks

Neil

Damien Miller · ‎12-04-2020

I'll lead with the standard verbiage here. A three node ISE deployment such as this is not an officially tested or supported topology. I would not recommend a load balancer here either.

The issue you are seeing is the expected behavior. The ISE node that processes the RADIUS request and serves the guest redirect URL is the one that knows about that unique endpoint session. The redirect URL that is passed back to the WLC and what the client uses, comes along with the server address that processed the request, and this server expects the client to connect back to it. If you play with hosts file, and force the client to an ISE node that didn't process the RAIDUS request, then that ISE node the client hits will not have the active authentication session ID. This results in a "server error" since the request/session ID doesn't exist and fails on that node.

View solution in original post

Damien Miller · ‎12-04-2020

I'll lead with the standard verbiage here. A three node ISE deployment such as this is not an officially tested or supported topology. I would not recommend a load balancer here either.

The issue you are seeing is the expected behavior. The ISE node that processes the RADIUS request and serves the guest redirect URL is the one that knows about that unique endpoint session. The redirect URL that is passed back to the WLC and what the client uses, comes along with the server address that processed the request, and this server expects the client to connect back to it. If you play with hosts file, and force the client to an ISE node that didn't process the RAIDUS request, then that ISE node the client hits will not have the active authentication session ID. This results in a "server error" since the request/session ID doesn't exist and fails on that node.

Marvin Rhoads · ‎12-05-2020

"doesn't work properly if I force my endpoint to go to another ISE node via a host file" - why would you want to do that?

@Damien Miller correctly described the reason why this will break things.

If you want to load balance among PSNs, the load balancer (if properly configured) will keep track of the session for a given endpoint and make sure to keep them "sticky" to the originating PSN.

neil.garry1 · ‎12-05-2020

Thank you for your replies.

My only remaining question Is how is this not a supported deployment having 3 nodes? This is exactly how we have been told to do deploy for auto failover and has been verified via TAC.

Neil