Solved: Re: Primary/Secondary ISE deployments and Certs

Steven Williams · ‎06-07-2019

I have an active/passive ISE deployment. Two nodes in two separate locations and two separate Domain Forests.

I am making certs for tacacs password reset and client provisioning portal. I am making cname dns records for these but only pointing them to the primary ISE server that is active. In the event of a failure I need to go into secondary and force it to become active, but its name is not the same as what the cname records are so if I put in two cnames (same cname value) pointing to two different ISE nodes (one active and one passive) how will clients get redirected? Will the passive node not respond?

Arne Bier · ‎06-09-2019

So if you have

CNAME

portal.mycompany.com -> A-Record ise01.mycompany.com

-> A-Record ise02.mycompany.com

Then your OS will have two IP addresses against the DNS query of portal.mycompany.com - if the OS can build a TCP connection using the first IP address (ise01) then that's what it will do. If however, the tcp connection doesn't get an ACK, then the OS will try the second IP address (ise02).

Not sure if I fully understand your dilemma though . .. because, if your ISE nodes are running as PSN's (Policy Service enabled) then they are both considered active for hosting portals - there is no difference or hierarchy there. The Active/Passive only applies to the PAN (Admin) persona.

View solution in original post

Damien Miller · ‎06-09-2019

From an administration and monitoring persona perspective there exists the concept of active/passive. But what Arne was getting at is that if you have policy services enabled on both nodes, then both are active for authentication. Even if admin and MNT are enabled on the same node as policy service, those roles will have primary/secondary, but PSN has no concept of that.

You can join ISE to up to 50 domains simultaneously? Have you considered joining them to both?

View solution in original post

Arne Bier · ‎06-11-2019

Hi @Steven Williams

something doesn’t add up here. If these two nodes are in a deployment and both of them have Policy a services and Device Admin enabled then there is no difference between these two nodes. Maybe the sync is broken? I am would get a tac case to have a look at this.

The NAS is always responsible for AAA failover (tacacs and radius). And that means that both ISE nodes should have identical programming to respond to NAS requests.

View solution in original post

Arne Bier · ‎06-09-2019

So if you have

CNAME

portal.mycompany.com -> A-Record ise01.mycompany.com

-> A-Record ise02.mycompany.com

Then your OS will have two IP addresses against the DNS query of portal.mycompany.com - if the OS can build a TCP connection using the first IP address (ise01) then that's what it will do. If however, the tcp connection doesn't get an ACK, then the OS will try the second IP address (ise02).

Not sure if I fully understand your dilemma though . .. because, if your ISE nodes are running as PSN's (Policy Service enabled) then they are both considered active for hosting portals - there is no difference or hierarchy there. The Active/Passive only applies to the PAN (Admin) persona.

Steven Williams · ‎06-09-2019

Both nodes are not serving portals. I only have two ISE nodes so active/passive. But if they are both in different domains and once i activate the standby in a failed scenario it will be a different DNS name and IP

Damien Miller · ‎06-09-2019

From an administration and monitoring persona perspective there exists the concept of active/passive. But what Arne was getting at is that if you have policy services enabled on both nodes, then both are active for authentication. Even if admin and MNT are enabled on the same node as policy service, those roles will have primary/secondary, but PSN has no concept of that.

You can join ISE to up to 50 domains simultaneously? Have you considered joining them to both?

Steven Williams · ‎06-10-2019

I guess I am lost because if I take my primary node offline and DO NOT force the secondary to become primary all my TACACS sessions and RADIUS sessions fail. So that tells me its not accepting these requests.

Arne Bier · ‎06-11-2019

Hi @Steven Williams

something doesn’t add up here. If these two nodes are in a deployment and both of them have Policy a services and Device Admin enabled then there is no difference between these two nodes. Maybe the sync is broken? I am would get a tac case to have a look at this.

The NAS is always responsible for AAA failover (tacacs and radius). And that means that both ISE nodes should have identical programming to respond to NAS requests.

Steven Williams · ‎06-11-2019

Arne Bier · ‎06-11-2019

Hey @Steven Williams

Looks kosher to me. When you say "take my primary offline", how exactly do you do that? I wonder whether the NAS still thinks ISE is alive because it's replying to Radius/TACACS traffic for some reason (or maybe it uses another type of keepalive). But even then, if you literally power it off and the NAS still doesn't use the Secondary (without you promoting the Secondary) then I think there is a problem with your ISE server. You don't need to promote an ISE node in order for its Policy/TACACS services to run. Promotion is just about the PAN and MnT roles.

Damien Miller · ‎06-12-2019

Historically this is a real pain in the butt for me. If the node or load balancer performs a TCP handshake then the NAD believes the TACACS server is online. Even if the TCP handshake ends in a RST flag, the NAD never fails over to the configured secondary IP.

RADIUS does things differently though so I'm on board with Arne here, something fishy if you can't authenticate against the secondary at any time, both nodes up or not.