Hi guys

I am going to write a short story and will try to explain the problem I have.

Here is my setup. I have two ISE servers running I. Primary and secondary mode. Ise1 and ise2. Everything is configured and sync is complete. My access switch is a 2960 which has dot1x enabled and radius defined in the Config. It's using ISE 1 as primary and ise2 as secondary point of authentication. There are phones connected to switch and PCM behind the phone.

The phones and pc authenticate using EAP-TLS which works fines when both servers are up and running. Printers use mab and video end points use EAP-PEAP. All good till here.

When I shut down my primary server , phones printers and video endpoints authenticate without any problem. Pc is having issue and I am getting error message saying EAP timeout after120 seconds.

Today just to test that ise servers are configured properly. I removed the primary server from 2960 Config. Now switch has only one radius server listed for authentication. Which is ISE 2. The authentication works fine. All of them. Then I shut down ise1 just for the sake of it. At this step I have ise2 running and 2960 switch has only one radius configured. Everything works fine here.

The minute I add ISE 1 as primary radius server pc authentication fails and I get EAP time out message.

Looks like I have to tweak some configuration on 2960 so that it failover to backup ISE ASAP. Has anyone seen that ?

Thanks.



Sent from Cisco Technical Support iPad App