Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
121
Views
3
Helpful
2
Replies

Radius server fall back for 802.1X SSID

Mateen Ahmad
Level 1
Level 1

‎10-13-2025 02:52 AM

Hi,

 

I have only 2 ISE nodes configured as PAN and PSN's, and both are running only Wired and wireless Dot1x with PEAP-MSCHAPv2.

I have C9800 controller and AP's in Flex mode, also Meraki MR Access points both are integrated with ISE for user authentications.

My question is how can i ensure services to continue incase my both ISE servers are down.

Both Platforms are enabled with Do1x on SSID's.

 

Thanks

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎10-13-2025 05:18 AM

You need to configure your ISE deployment for high availability.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/install_guide/b_ise_installationGuide32/b_ise_InstallationGuide32_chapter_1.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier
VIP
VIP
In response to balaji.bandi

‎10-13-2025 02:22 PM

I agree with @balaji.bandi  - you need to ensure that at least one ISE is always alive, and that the wireless NAD devices (Meraki, C9800 etc.) have both ISE IPs configured. If you have total ISE failure, then wireless 802.1X will fail - I am not aware of a "fail open" mechanism for wireless 802.1X. 

On the wired side, you can implement clever critical auth mechanisms on Cisco Catalysts switches using IBNS 1.0 and IBNS 2.0

Customers Also Viewed These Support Documents