Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
2
Replies

ISE questions

Go to solution
lsin
Cisco Employee
Cisco Employee

‎07-12-2016 08:38 AM

Please help to comment on followings:

  1. When ISE1 is disconnected from the network, ISE2 is responsible for the authentication; however, it is noticed that authentication log sessions in “Radius LiveLogs” are not synchronized back to ISE1 when ISE1 regain network reachability.

 

  1. When the network connectivity between ISE1 and Active Directory (AD) were blocked by firewall, ISE2 were showed to be disassociated with AD in the “External Identity Store” under the “AD” tab. This was unexpected as the firewall only blocks connection between ISE1 and AD but not ISE2 and AD.

 

  1. Very often that authentication failure logs, especially retries from the same user, were not shown in the “Radius Live Log” tab.
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gbekmezi-DD
Level 5
Level 5

‎07-12-2016 09:01 AM

1. That is correct. There is no synchronization between MNT nodes. I’m making the assumption here that your two ISE nodes have all personas (ADM,MNT,PSN). You can always navigate directly to ISE2 to see the sessions specific to that node. In a normal environment, the session database is naturally synchronized between the two MNT nodes. In your situation, the sessions would end up being normalized over time. You could change the secondary MNT node to become primary for a while if you want to see the most accurate representation of sessions on your network.

2. That seems odd. If you can reproduce, you may consider opening a TAC case.

3. You also can’t assume every failed attempt is making it to ISE. There may be times where the attempts are being blocked at the wireless controller for instance if client exclusion is triggered. Also, ISE may be dropping requests if anomalous client detection is triggered.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gbekmezi-DD
Level 5
Level 5

‎07-12-2016 09:01 AM

1. That is correct. There is no synchronization between MNT nodes. I’m making the assumption here that your two ISE nodes have all personas (ADM,MNT,PSN). You can always navigate directly to ISE2 to see the sessions specific to that node. In a normal environment, the session database is naturally synchronized between the two MNT nodes. In your situation, the sessions would end up being normalized over time. You could change the secondary MNT node to become primary for a while if you want to see the most accurate representation of sessions on your network.

2. That seems odd. If you can reproduce, you may consider opening a TAC case.

3. You also can’t assume every failed attempt is making it to ISE. There may be times where the attempts are being blocked at the wireless controller for instance if client exclusion is triggered. Also, ISE may be dropping requests if anomalous client detection is triggered.

0 Helpful

Go to solution
lsin
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎07-12-2016 09:16 AM

George, thanks for the swift response.

1. Yes, only two nodes are configured.  I am not sure the normal environment that you've mentioned.  Is that more two ISE nodes or MNT must be on separte nodes?

2.  will open case to followup

3. It's a wired environment, so it may be related to anomalous client detection.

0 Helpful
Customers Also Viewed These Support Documents