Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2219
Views
21
Helpful
4
Replies

ISE primary and secondary PSN authentication order

Go to solution
shaheryar.khan
Level 1
Level 1

‎04-04-2022 02:14 AM


Hello, everyone!


Can someone explain how the switch decides whether to use the primary or secondary PSN when sending Tacacs or Radius authentication requests? It depends on how the switch is configured or something else.


Thanks

 

Thanks

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-04-2022 03:09 AM

@shaheryar.khan the switch will use the RADIUS Server (PSN) in the order they are configured, until marked as dead, then will use the next configured RADIUS server. You can use the RADIUS Server Load Balancing feature which spreads the aaa load or preferrably a 3rd party Load Balancer, such as F5.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎04-04-2022 03:09 AM

@shaheryar.khan the switch will use the RADIUS Server (PSN) in the order they are configured, until marked as dead, then will use the next configured RADIUS server. You can use the RADIUS Server Load Balancing feature which spreads the aaa load or preferrably a 3rd party Load Balancer, such as F5.

Go to solution
Arne Bier
VIP
VIP
In response to Rob Ingram

‎04-04-2022 06:01 PM

Hi @shaheryar.khan 

 

@Rob Ingram is correct regarding the RADIUS process - there is a concept of dead timer and dead criteria etc.

But what about TACACS+ ? It's my experience on all Catalyst platforms, IOS-XE 16.x and greater, that there is no dead timer or dead criterion to work with. This means that when Primary TACACS+ server fails, then the IOS-XE device goes to the next candidate, until it finds success. Once the TCP transaction is completed, and the next TACACS+ auth comes along, the IOS-XE doesn't remember that Primary Server didn't respond, and it tries it again, top down.  This is why we typically need a feature like deadtime to "hold down" the failing server until we think it's safe to use it again.

The consequence of not having this dead "hold-down" timer is that the TACACS+ sessions becomes quite sluggish, as auth and authorization suffer a timeout penalty. The IOS-XE device will continue using on the Secondary TACACS+ server, but the CLI responses will feel sluggish.

I have always wondered whether I am missing a trick, or whether this is by design in IOS-XE TACACS+ implementation.

Go to solution
Ib_Reda
Level 1
Level 1

‎02-26-2024 02:23 AM

Dears

I have the same issue with TACACS+ auth, I have ISE1 and ISE2, on the switch I ordered ISE2 then ISE1, and ISE2 is primary, ISE1 is secondary.

why does the switch automatically authenticate from the secondary?

NOTE: I did not run radius, only i test TACACS.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Ib_Reda

‎02-26-2024 02:01 PM

Share your IOS config here

show run | section tacacs
show run | include aaa
show tacacs

As was mentioned before, deadtimer concept does not apply to TACACS AAA. It only applies to RADIUS AAA.

TACACS will always try the first server you define in your tacacs Group, even if that server is unavailable.

Customers Also Viewed These Support Documents