12-04-2016 08:35 PM
What are the operational impact if PSN ip address is/has to be changed in a distributed environment?
What happens to active sessions
What is the recommended way of replacing the PSN IP address?
Solved! Go to Solution.
12-05-2016 01:12 PM
Phanikumar, for 802.1X sessions it depends on the NAD settings. In general once authenticated, the sessions are maintained on the WLC or the switch until the client reconnects or, if configured, reauthentication timer expires. If expired the NAD will try reconnecting to the previous RADIUS server it used and if not available depending on the NAD setting, it will go down the list of RADIUS servers defined on the NAD to authenticate the endpoint. On the Cisco WLC you may want to manually change the RADIUS server order on the WLAN with new IP to be on top once new server is active. On the IOS switches, you can configure deadtime & dead criteria to dictate how much the RADIUS server will be marked down. On both platforms you can also configure RADIUS probes to monitor the RADIUS server status and mark alive. See following how-to document for more information:
How To: Universal Wireless Controller (WLC) Configuration for ISE
How To: Universal IOS Switch Config for ISE
If you want to minimize user impact, you could consider increasing the reath timeout or disabling it for the duration of the maintenance.
Hosuk
12-05-2016 01:12 PM
Phanikumar, for 802.1X sessions it depends on the NAD settings. In general once authenticated, the sessions are maintained on the WLC or the switch until the client reconnects or, if configured, reauthentication timer expires. If expired the NAD will try reconnecting to the previous RADIUS server it used and if not available depending on the NAD setting, it will go down the list of RADIUS servers defined on the NAD to authenticate the endpoint. On the Cisco WLC you may want to manually change the RADIUS server order on the WLAN with new IP to be on top once new server is active. On the IOS switches, you can configure deadtime & dead criteria to dictate how much the RADIUS server will be marked down. On both platforms you can also configure RADIUS probes to monitor the RADIUS server status and mark alive. See following how-to document for more information:
How To: Universal Wireless Controller (WLC) Configuration for ISE
How To: Universal IOS Switch Config for ISE
If you want to minimize user impact, you could consider increasing the reath timeout or disabling it for the duration of the maintenance.
Hosuk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide