Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

Problems with re-authentication of users and High Availability

Jean Paul Vanegas B
Level 1
Level 1

‎02-12-2016 02:53 AM - edited ‎03-10-2019 11:28 PM

I have a network with a centralized ISE server and several distributed WLCs, these controllers assigned IP, but they consult the user and password to the database server ISE 1.4 redirecting the users to  sponsor portal. I have some problems with this:


1. the Network requests AUTHENTICATION every day when people connect and passwords are configured to remain 30 days. Why is this happening? and how I can fix it?

2. I have the ISE Cluster Server and Active passive, but the problem is, when   the active server fails, the passive goes up but continues redirected to the IP of this portal to the firts server and shows misleads users.

 How can I fix this to get high availability?

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎02-12-2016 09:12 PM

Hi Jean-

For #1:

- What do you have configured in your WLC for:

1. Controller > User Idle Timeout (Seconds)

2. WLANs > Name of the SSID > Advanced > Enable Session Timeout

- What attributes are you returning in the Authorization Profile for those users

For #2:

- What happens if you: Disable Client's wireless adapter > remove the client session from the WLC, re-enable the client's adapter and reconnect again?

- Do you have the ISE PSNs configured in a Node Group

- Under the WLC, what do you have configured for Security > RADIUS > Fallback

- Under the SSID, what do you have configured for Security > AAA Servers (attach screen shot)

- How is your DNS configured for resolving the PSNs to the Gust portal

I know there are a lot of questions but we need more details before we can help :)

Thank you for rating helpful posts!

0 Helpful

Jean Paul Vanegas B
Level 1
Level 1
In response to nspasov

‎02-15-2016 08:32 AM

thank you Neno, for you assap anwer,

The ISE 1.4 server is migrated from version 1.2 with an SSID do not ask credentials daily, only weekly or when you stopped connect to the network for more than three days, and controllers were had the same configuration, I mean I think, that the Parameters to the controllers are not.

I therefore believe that the parameter must be configured in the ISE. and these parameters have not found. Previous version was in a parameter of Client timeout in this not see it.

for part two. I think the problem is the DNS resolution, and that this network is not internal but it is not public. I will review it and respond well after.

thanks

0 Helpful
Customers Also Viewed These Support Documents