Solved: ISE PSN failback.

Maher Shaban · ‎12-06-2015

Hi

I have 2 ISE 1.2.1.189

I configured ISE1(192.168.1.1) as primary for PAN, MNT and PSN and it work fine

and ISE2(192.168.2.1) as secondary PAN, MNT and PSN

In normal situation, users are authenticated on ISE1

My goal :

If ISE1 is unavailable, users are required to authenticate on ISE2

Then as soon as ISE1 become again available, user must be authenticated again on ISE1

I configured it, but it dont work (see below my configuration)

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key Password123

radius-server host 192.168.2.1 auth-port 1812 acct-port 1813 key Password123

When ISE1 become again available, user remain authenticated on ISE2

How to configure the switch to achieve My goal

Please help

Thanks in advance

jj27 · ‎12-09-2015

Authenticated sessions will not be affected by dead/alive RADIUS servers. If ise1 was dead and the user was authenticated through ise2, when ise1 is alive again it will not take ownership of the authenticated sessions, but the next time a user/device authenticates, it will use ise1 so long as it is the first RADIUS server in the list.

View solution in original post

jj27 · ‎12-09-2015

Authenticated sessions will not be affected by dead/alive RADIUS servers. If ise1 was dead and the user was authenticated through ise2, when ise1 is alive again it will not take ownership of the authenticated sessions, but the next time a user/device authenticates, it will use ise1 so long as it is the first RADIUS server in the list.

Maher Shaban · ‎12-10-2015

Thanks mate..