Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
2
Replies

Multiple ISE servers AAA query from WLAN

Go to solution
dan hale
Level 3
Level 3

‎03-21-2019 09:49 AM

Hi All,

 

Quick design question. I have a WLAN that right now I send our AAA request to ISE. (ISE version 2.4) and I have two ISE nodes a Primary and a secondary. Would it be good practice to add my secondary node to the second server list on the WLAN....in case the Primary ISE is busy would the secondary ISE node take the Radius request even if its configured for the secondary Policy node for ISE?

 

image.pngimage.png

 

Thanks,

Dan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-21-2019 11:49 AM

Yes and no. It's unlikely that an ISE node will be busy, but rather be down or not responding to RADIUS requests. In that case the WLC will try to use the second RADIUS server you define. It is common practice to use two RADIUS servers per WLAN so you have HA on your authentication side.

There is a long guide that goes through this, but the short version is yes, it will do what you want.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/aaa_administration.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-21-2019 11:49 AM

Yes and no. It's unlikely that an ISE node will be busy, but rather be down or not responding to RADIUS requests. In that case the WLC will try to use the second RADIUS server you define. It is common practice to use two RADIUS servers per WLAN so you have HA on your authentication side.

There is a long guide that goes through this, but the short version is yes, it will do what you want.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/aaa_administration.html
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎03-21-2019 05:40 PM

You can also consider putting in a single IP address into your WLC which could be a VIP (Virtual IP) of a load balancer. 

 

In that case you can hide the complexity/HA of the Radius cluster behind a load balancer. 

As long as one of the ISE servers in the pool of servers is alive, the VIP will respond to the WLC's radius request.  You can then take ISE servers down for maintenance and not impact anything on the WLC side.

Note however that load balancing does require some special tricks like session persistence - to ensure that the load balancer keeps talking to the same ISE server that it initially load balanced to - for up to a fixed time.  And once that time expires, the load balancer will hash/choose another ISE server (based on load, session count,etc).  But the main point here is that the load balancer MUST maintain session persistence or else you'll have a complete mess.  Load balancer cannot spray requests in a round robin fashion.  Yes, it can load balance a NEW session in round robin, but then maintain that session to that same ISE until the session expires.

 

Cisco has done a great job documenting this for F5 and ISE integration but no reason why this cannot work for nginx (free) or other load balancers

0 Helpful
Customers Also Viewed These Support Documents