Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
6
Helpful
1
Replies

ISE PSN IP change - Operational impact

Go to solution
Phanikumar Dharmavarapu
Cisco Employee
Cisco Employee

‎12-04-2016 08:35 PM

What are the operational impact if PSN ip address is/has to be changed in a distributed environment?

What happens to active sessions

What is the recommended way of replacing the PSN IP address?

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎12-05-2016 01:12 PM

Phanikumar, for 802.1X sessions it depends on the NAD settings. In general once authenticated, the sessions are maintained on the WLC or the switch until the client reconnects or, if configured, reauthentication timer expires. If expired the NAD will try reconnecting to the previous RADIUS server it used and if not available depending on the NAD setting, it will go down the list of RADIUS servers defined on the NAD to authenticate the endpoint. On the Cisco WLC you may want to manually change the RADIUS server order on the WLAN with new IP to be on top once new server is active. On the IOS switches, you can configure deadtime & dead criteria to dictate how much the RADIUS server will be marked down. On both platforms you can also configure RADIUS probes to monitor the RADIUS server status and mark alive. See following how-to document for more information:

How To: Universal Wireless Controller (WLC) Configuration for ISE

How To: Universal IOS Switch Config for ISE

If you want to minimize user impact, you could consider increasing the reath timeout or disabling it for the duration of the maintenance.

Hosuk

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎12-05-2016 01:12 PM

Phanikumar, for 802.1X sessions it depends on the NAD settings. In general once authenticated, the sessions are maintained on the WLC or the switch until the client reconnects or, if configured, reauthentication timer expires. If expired the NAD will try reconnecting to the previous RADIUS server it used and if not available depending on the NAD setting, it will go down the list of RADIUS servers defined on the NAD to authenticate the endpoint. On the Cisco WLC you may want to manually change the RADIUS server order on the WLAN with new IP to be on top once new server is active. On the IOS switches, you can configure deadtime & dead criteria to dictate how much the RADIUS server will be marked down. On both platforms you can also configure RADIUS probes to monitor the RADIUS server status and mark alive. See following how-to document for more information:

How To: Universal Wireless Controller (WLC) Configuration for ISE

How To: Universal IOS Switch Config for ISE

If you want to minimize user impact, you could consider increasing the reath timeout or disabling it for the duration of the maintenance.

Hosuk

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents