Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
6
Replies

Use 2 interfaces on ISE appliance for Radius redundancy?

Leroy Plock
Level 1
Level 1

‎06-09-2015 08:03 AM - edited ‎03-10-2019 10:47 PM

Hey.

We normally provide network redundancy for critical devices by patching 2 of the device's interfaces to either side of a VSS pair (or 7K pair) and forming an etherchannel of the 2 links.

Since our ISE SNS-3415 appliances don't support etherchannel, I wondered if I could do this:

Patch 2 interfaces from the appliance, one to each side of the VSS.
Assign separate IP addresses to the interfaces. Preferably both IPs would be in the same subnet.
Configure NADs with the 2 IPs, as though it was 2 separate ISE nodes.

If one link went down, the other link would still be up and respond on the other IP. The NAD would declare the primary IP dead and start sending Radius requests on the second IP.

Can this be done?

Thanks.

Labels:
0 Helpful
6 Replies 6

jj27
Spotlight
Spotlight

‎06-09-2015 09:16 PM

I believe only gig0 on the appliance can be used for system RADIUS access.  The other NICS can be used for Profiling such as DHCP, NetFlow, etc.

Typically you would have redundant PSNs so that if one goes offline the other will take over authentication/authorization requests. You would point your NADs to the PSNs.

0 Helpful

Leroy Plock
Level 1
Level 1
In response to jj27

‎06-10-2015 10:39 AM

Yep, we have multiple PSNs in different locations. Just always looking for more redundancy.

I wasn't able to verify your answer, but you're probably right. I did read in the manual that each interface must be configured on a separate subnet.

0 Helpful

ajc
Level 7
Level 7
In response to Leroy Plock

‎06-11-2015 02:31 PM

Following this post. I am planning to do the same thing on our 3395 and 3945 ISE's. I have not checked again the documentation but looks like this is not feasible since port-channel is not supported.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-12-2015 04:29 AM

Cisco ISE management is restricted to Gigabit Ethernet 0. And all ports can be used for radius.If its distributed deployment then you can have PSN node groups or have all PSN listed as radius server on NAD

0 Helpful

Leroy Plock
Level 1
Level 1
In response to Venkatesh Attuluri

‎06-12-2015 06:17 AM

Thanks, good to hear an authoritative answer from Cisco. The separate subnet for each interface limitation would make this a little more difficult to implement, but not so bad.

 

My understanding that is that even if the PSNs are in a node group, they must be listed individually on the NAD. If you want to reference them by a single IP you would have to use a load balancer. Did I get this wrong?

 

0 Helpful

jason chu
Level 1
Level 1

‎06-15-2015 01:48 AM

Hi Leroy Plock,

Can you configure two IPs on a SNS3415? if yes, can NAD take request to the both IPs?

 

0 Helpful
Customers Also Viewed These Support Documents