Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
1
Replies

ISE MAR cache 2-node deployment

lsigalov
Level 1
Level 1

‎02-24-2015 02:46 PM - edited ‎03-10-2019 10:29 PM

I understand the Pros and Cons described in this document:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

And I'm OK with getting people to reboot their machine while connected wirelessly to trigger host authentications on Windows machines.

My issue is related to the 2-node ISE deployment (I'm running 1.2):

It appears that MAR cache is not synchronized between the ISE nodes (Primary and Secondary).

For example, a user reboots his machine, and host authentication is answered by the Primary ISE, and user authentication is subsequently succeeds.

Subsequent user authentication requests, if they are answered by the Secondary ISE will fail, because Secondary ISE node does not have a corresponding host record in its MAR cache - only Primary ISE does.

Can someone confirm if this behavior is expected?  If I can't get the Secondary ISE node to mirror MAR host entries, I'm going to have a LOT of failures, and a lot of user problems?  Is there even a workaround for this?

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎02-24-2015 04:07 PM

Yes, it is called EAP-Chaining, and all the shortcomings of MAR are resolved by this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents