Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
5
Replies

PSNs with 2 interfaces for guest authentication

Go to solution
umahar
Cisco Employee
Cisco Employee

‎07-31-2018 12:47 PM - edited ‎02-21-2020 11:01 AM

We have an ISE Guest cluster with PSNs having 2 interfaces.

One interface receives the radius request and the other interface receives the web redirected traffic.

 

WLC----internal-network-----PSN---------------router

 

During failover testing we shut down the router interface.

WLC was still sending radius request to the internal-network interface of PSN because it was still alive. Endpoints when getting redirected to the other interface of the PSN are getting dropped.

Is there a way for PSN to start dropping radius request on one interface if the second interface goes down ?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to umahar

‎08-01-2018 03:02 PM

Unfortunately there's no tracking feature to do so and that's why I always implement ISE with multiple interfaces but use anycast design. As you can't shutdown the interface because tracking isn't there and you don't have access to linux shell, radius packets still go through the default ISE interface and it will redirect endpoints to a anycast IP which means:

 - if interface 2 is down on ISE node 1, the routing will redirect the user to the same IP located on ISE node 2.

 

Do you follow me here?

 

Otherwise, for customers who have Load-balancers, they can achieve the same thing by returning LB VIP and LB will be in charge to redirect traffic to ISE node 1 or 2.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-31-2018 07:49 PM

Hi Umahar

I'm sorry but what's your question?
I thing you're missing a part of your post.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎08-01-2018 06:54 AM

oh ya, I thought my post was autosaved. Still getting used to the new interface :)
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to umahar

‎08-01-2018 03:02 PM

Unfortunately there's no tracking feature to do so and that's why I always implement ISE with multiple interfaces but use anycast design. As you can't shutdown the interface because tracking isn't there and you don't have access to linux shell, radius packets still go through the default ISE interface and it will redirect endpoints to a anycast IP which means:

 - if interface 2 is down on ISE node 1, the routing will redirect the user to the same IP located on ISE node 2.

 

Do you follow me here?

 

Otherwise, for customers who have Load-balancers, they can achieve the same thing by returning LB VIP and LB will be in charge to redirect traffic to ISE node 1 or 2.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-05-2018 08:23 PM

See also PSNs with 2 interfaces for guest authen... (by umahar on 08-01-2018 11:41 AM)

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-05-2018 08:23 PM

See also PSNs with 2 interfaces for guest authen... (by umahar on 08-01-2018 11:41 AM)

0 Helpful
Customers Also Viewed These Support Documents