cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

996
Views
6
Helpful
1
Replies
Phanikumar Dharmavarapu
Cisco Employee

ISE PSN IP change - Operational impact

What are the operational impact if PSN ip address is/has to be changed in a distributed environment?

What happens to active sessions

What is the recommended way of replacing the PSN IP address?

1 ACCEPTED SOLUTION

Accepted Solutions
howon
Cisco Employee

Phanikumar, for 802.1X sessions it depends on the NAD settings. In general once authenticated, the sessions are maintained on the WLC or the switch until the client reconnects or, if configured, reauthentication timer expires. If expired the NAD will try reconnecting to the previous RADIUS server it used and if not available depending on the NAD setting, it will go down the list of RADIUS servers defined on the NAD to authenticate the endpoint. On the Cisco WLC you may want to manually change the RADIUS server order on the WLAN with new IP to be on top once new server is active. On the IOS switches, you can configure deadtime & dead criteria to dictate how much the RADIUS server will be marked down. On both platforms you can also configure RADIUS probes to monitor the RADIUS server status and mark alive. See following how-to document for more information:

How To: Universal Wireless Controller (WLC) Configuration for ISE

How To: Universal IOS Switch Config for ISE

If you want to minimize user impact, you could consider increasing the reath timeout or disabling it for the duration of the maintenance.

Hosuk

View solution in original post

1 REPLY 1
howon
Cisco Employee

Phanikumar, for 802.1X sessions it depends on the NAD settings. In general once authenticated, the sessions are maintained on the WLC or the switch until the client reconnects or, if configured, reauthentication timer expires. If expired the NAD will try reconnecting to the previous RADIUS server it used and if not available depending on the NAD setting, it will go down the list of RADIUS servers defined on the NAD to authenticate the endpoint. On the Cisco WLC you may want to manually change the RADIUS server order on the WLAN with new IP to be on top once new server is active. On the IOS switches, you can configure deadtime & dead criteria to dictate how much the RADIUS server will be marked down. On both platforms you can also configure RADIUS probes to monitor the RADIUS server status and mark alive. See following how-to document for more information:

How To: Universal Wireless Controller (WLC) Configuration for ISE

How To: Universal IOS Switch Config for ISE

If you want to minimize user impact, you could consider increasing the reath timeout or disabling it for the duration of the maintenance.

Hosuk

View solution in original post

Content for Community-Ad