06-18-2024 10:42 AM
Hello,
New with C9800-40 WLCS RMI + RP redundancy...I've set up my first pair and everything is fine. I ended up using the "redun-management hostname" command as WLCS A and WLCS B are in different buildings, and if there's a failover, I didn't want someone running to the wrong building. I also have our NMS PINGing both (via RMI IP address) to ensure the backup is available/reachable when needed. Currently, I'm using local auth on both. Everything is working, APs registered, clients using APs...life is grand.
I need to turn-up TACACS user auth and authenticate against ISE. I understand that ISE auth is not supported on the backup (or SNMP). I want to be able to keep my NMS PINGing the backup for health awareness, so I want separate hostnames.
I'm thinking just to build two "Network Devices" in ISE with IP addresses of the WLCS SP, and in my WLCS config to source TACACS from the SP. When I build my TACACS config on the primary, it will write the same to the backup, and when a failure causes the flip to the "backup" WLCS B, it will authenticate to the other ISE Network Device (B) which will receive TACACS requests from WLCS B's SP interface, which will have the correct IP address...This way I keep my NMS polling both WLCS, and I can use TACACS to authenticate the active and my TACACS config on the backup will default to local on TACACS timeout (in case I want to console into him).
Would that work? Am I overthinking this? (Or under-thinking this)?
Thank you!!
Mike
06-18-2024 11:24 PM
- Note that TACACS is not supported on the standby controller.
M.
06-19-2024 03:00 PM
You can have two different OOB ip address assign to service ports of two WLC. You an use TACACS to source traffic use that interface IP
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#useoftheserviceport
HTH
Rasika
*** Pls rate all useful responses ***
06-20-2024 05:38 AM
> You can have two different OOB ip address assign to service ports of two WLC
How exactly would you do that @Rasika Nayanajith ?
06-20-2024 10:16 AM
Hi RIch,
I would leave service port to DHCP and reserved a fixed IP address on DHCP server for the mac address of the service port. In that way configuration on 9800 won't change (simply 'ip address dhcp' under service port)
HTH
Rasika
06-21-2024 07:30 AM
I did see where "TACACS is not supported on standby controller", but I'm trying to understand to what point:
a) Remote access using TACACS authentication is not supported b) you can have AAA defined using TACACS as primary auth, but will allow you to console in using secondary local auth c) TACACS configured on the primary won't be written to the backup, and therefore, if there's a switchover I'm going to be locked out...or what...I'm hoping b)
I'm wondering if my best approach is:
A) take off RMI + RP redundancy
B) Put on TACACS on my to-be primary (I can reload in 30 minutes) in case I get locked out from my TACACS config and need to reconfig something; or the reload doesn't failover to my backup where I might get locked out from a bad config
C) Source TACACS from SP as suggested...
D) Put back on RMI + RP redundancy.
Does that seem like a reasonable approach? One last question, at what point does the config on the primary get written to the backup?
Thanks for the continued help!
Mike
06-21-2024 09:18 AM
>...I did see where "TACACS is not supported on standby controller",
Ref : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_high_availability.html
Look up all instances of TACACS with find in your browser (for extra insights)
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide