Solved: ISE radius auth via secondary node

manvik · ‎11-28-2022

We have a 2 node setup with primary ISE node in DC and secondary ISE nod ein DR. All personas(admin, policy, monitoring) are in one node.

Anyconnect VPN users connect to ASA and then to ISE for authentication, so far everything working fine when users connect to DC ASA and ISE.

We are confused, whether Anyconnect auth work if users connect to DR ASA and then to DR ISE. DC ISE is primary for all personas.

Marvin Rhoads · ‎11-29-2022

An ASA will use the configured AAA servers (ISE nodes in your case with PSN role) in the order they are specified in the configuration (aaa-server-group). As long as the first server is responding to RADIUS requests, the ASA will always use it.

To perform a test of the secondary ISE node you can do a manual test from the ASA (ASDM or cli) specifying that node or temporarily remove the primary node from your config (or block reachability to the primary node in some other way).

View solution in original post

Milos_Jovanovic · ‎11-29-2022

Could you please post output of the "show run aaa-server your_RADIUS_group", "show aaa-server your_RADIUS_group" and "show run tunnel-group relevant_tunnel-group"?

If DR ISE is configured as primary server on ASA, and all is ok with ISE (e.g. PSN role enabled, network device added, etc.), then there is no obvious reason why DC ISE would be contacted instead of DR ISE.

Kind regards,

Milos

View solution in original post

Milos_Jovanovic · ‎11-29-2022

What is the server status on ASA with "show aaa-server" - active or failed?

If active, and everything else seems to be ok, then I would advise to open a TAC case, as there isn't much that community can help with.

Kind regards,

Milos

View solution in original post

Milos_Jovanovic · ‎11-28-2022

Hi @manvik,

You need to enable all pesonas on second ISE node too (if not already, it's bit unclear from original post). Once enabled, DR ISE will also be able to process AAA traffic, so your scenarion where you are using DR ASA and DR ISE would work.

Kind regards,

Milos

manvik · ‎11-29-2022

all personas are enabled on both nodes. DC ISE is primary role and DR ISE is secondary role.

When a user connects to DR VPN, ISE log shows policy server as DC ISE.

Is there a way for DR ISE to be policy server.

Marvin Rhoads · ‎11-29-2022

An ASA will use the configured AAA servers (ISE nodes in your case with PSN role) in the order they are specified in the configuration (aaa-server-group). As long as the first server is responding to RADIUS requests, the ASA will always use it.

To perform a test of the secondary ISE node you can do a manual test from the ASA (ASDM or cli) specifying that node or temporarily remove the primary node from your config (or block reachability to the primary node in some other way).

Milos_Jovanovic · ‎11-29-2022

Alternatively to what @Marvin Rhoads suggested, you can manually change order of aaa-server configuration on your DR ASA - to use DR ISE first, and DC ISE as a second. That way, your DR ASA will always talk to nearest ISE, and you should also be able to see it in the logs.

Kind regards,

Milos

ammahend · ‎11-28-2022

all authentication is go to ISE in primary DC by default unless you have some kind of load balancing going on, since its DR site I highly doubt that.

The radius server (auth server group) should be configured under tunnel-group on the ASA, for test under maintenance window you can change the ISE server order making DR ISE as primary and see if the authentication starts going through DR and it works.

if the secondary ISE is in server-group and working fine, it should work, usually these things are tested before deployment, but you can always test it simply by changing DR ISE as primary radius on ASA.

-hope this helps-

manvik · ‎11-29-2022

thank you all, ASA has DR ISE as primary AAA, still the DC ISE servers as policy node.

Is there a way DR ISE serves as policy node for requesting coming to it.

Milos_Jovanovic · ‎11-29-2022

Could you please post output of the "show run aaa-server your_RADIUS_group", "show aaa-server your_RADIUS_group" and "show run tunnel-group relevant_tunnel-group"?

If DR ISE is configured as primary server on ASA, and all is ok with ISE (e.g. PSN role enabled, network device added, etc.), then there is no obvious reason why DC ISE would be contacted instead of DR ISE.

Kind regards,

Milos

manvik · ‎11-29-2022

DR ISE has PSN role enabled, network device added, etc.

In ISE deployment, DC ISE is primary and DR ISE is secondary role.

Milos_Jovanovic · ‎11-29-2022

What is the server status on ASA with "show aaa-server" - active or failed?

If active, and everything else seems to be ok, then I would advise to open a TAC case, as there isn't much that community can help with.

Kind regards,

Milos

manvik · ‎12-13-2022

The TAC had looked into this, issue was related to certificates. New self signed cert was generated and wass placed in both DC&DR ISE.