Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
15
Helpful
4
Replies

PSN Authentication Monitoring

rgarciar
Cisco Employee
Cisco Employee

‎07-24-2018 09:15 AM

Hello,

 

I have a customer who experienced an issue where the PSNs stopped responding causing VPN users authentication to fail. The root cause is still to be determined by TAC. In the meanwhile I got a question from customer to find if there is a way to monitor that the PSNs are authenticating in order to minimize the downtime?

 

Customer is working with their F5 to achieve that, but they also want to do if there is a way we can do that.

 

Regards,

1 person had this problem
0 Helpful
4 Replies 4

saxenanitesh8522
Level 4
Level 4

‎07-24-2018 11:44 AM

Hi

 

What do you mean PSN stopped responding?

 

Did the radius server stopped working or it was not authentication?

 

Did show application status ise show any services which were not started?

 

Even with F5 how will you achieve this? f5 will monitor the port not the service which is running in the ISE. even if the service is not working radius ports or tacacs port will keep opening.

 

If you can please explain which service you are implying.


Did you just restart using CLI or did a hard reboot for the same.

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎07-24-2018 11:50 AM

Since you mentioned that the customer is using F5's to load balance traffic, you can leverage them to avoid this issue in the future.

 

Have the load balancer team set up a radius health check and use an AD/LDAP account.  If you use a local account it will only check if the PSN is able to authenticate via the local identity store.  Using an AD/LDAP account ensures that the endpoint authentications through to the directory service is operational. 

 

If a PSN fails in an unusual way such as losing it's connection to AD, you can have the F5 pull the PSN out of the VIP group. 

 

I'm not aware of a method of doing this on ISE itself but maybe someone else is.  There is an alarm for "authentication inactivity detected" but that's if the whole deployment stops and not just a single node.  

Cory Peterson
Level 5
Level 5
In response to Damien Miller

‎07-24-2018 02:50 PM

Like Damien Said if they are using F5, health monitors are the way to go as it can remove them from the VIP and alerting/monitoring can be setup to alert you when a server is removed from the pool. 

 

There are also other tools out there that can monitor and test RADIUS authentications. One tool I have seen used to monitor this without the use of F5 is the Solarwinds User Experience Monitor tool for RADIUS. It uses the SAM Solarwind Module to send authentication requests the the PSNs and record the responses along with all the response times. 

0 Helpful

Craig Hyps
Level 10
Level 10
In response to Cory Peterson

‎07-24-2018 03:21 PM

If pure RADIUS response failure, then VPN gateway should have fallback config to point to another VIP or PSN (RADIUS server). As Damien cited, if validating availability of backend ID stores, then may need to use test user account in that ID store. Many NADs have ability to send out a test probe similar to an F5 health monitor.
Customers Also Viewed These Support Documents