11-08-2016 05:34 AM
Would like clarification on this from the Admin Guide:
Cisco ISE always uses the primary LDAP server to obtain groups and attributes for use in authorization policies from the Admin portal, so the primary LDAP server must be accessible when you configure these items. Cisco ISE uses the secondary LDAP server only for authentications and authorizations at run time, according to the failover configuration.
Can you explain the last sentence? Does this imply that the secondary server is used when the primary is up and running or just during a failover event and the primary is no longer available? Trying to determine authentication degradation if the secondary LDAP server was to fail or there was a misconfiguration on the secondary server. If the primary was still up, would there be any interruption of authentications.
Solved! Go to Solution.
11-08-2016 09:24 AM
Mainly during failover. In case that the auth requests fail over to the secondary LDAP and the connections are active, I would expect ISE continuing with the secondary LDAP until the connections are closed or failed.
11-08-2016 09:24 AM
Mainly during failover. In case that the auth requests fail over to the secondary LDAP and the connections are active, I would expect ISE continuing with the secondary LDAP until the connections are closed or failed.
11-09-2016 08:55 PM
Ok. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide