Solved: LDAP External Identity Source - Primary/Secondary

scamarda · ‎11-08-2016

Would like clarification on this from the Admin Guide:

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Manage Users and External Identity Sources [Cisco Ide…

Cisco ISE always uses the primary LDAP server to obtain groups and attributes for use in authorization policies from the Admin portal, so the primary LDAP server must be accessible when you configure these items. Cisco ISE uses the secondary LDAP server only for authentications and authorizations at run time, according to the failover configuration.

Can you explain the last sentence? Does this imply that the secondary server is used when the primary is up and running or just during a failover event and the primary is no longer available? Trying to determine authentication degradation if the secondary LDAP server was to fail or there was a misconfiguration on the secondary server. If the primary was still up, would there be any interruption of authentications.

hslai · ‎11-08-2016

Mainly during failover. In case that the auth requests fail over to the secondary LDAP and the connections are active, I would expect ISE continuing with the secondary LDAP until the connections are closed or failed.

View solution in original post

hslai · ‎11-08-2016

Mainly during failover. In case that the auth requests fail over to the secondary LDAP and the connections are active, I would expect ISE continuing with the secondary LDAP until the connections are closed or failed.

scamarda · ‎11-09-2016

Ok. Thank you.