cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
576
Views
2
Helpful
6
Replies

C9800-40 WLCS RMI + RP Redundancy - ISE TACACS User Authentication

Michael Mertens
Level 1
Level 1

Hello, 

New with C9800-40 WLCS RMI + RP redundancy...I've set up my first pair and everything is fine. I ended up using the "redun-management hostname" command as WLCS A and WLCS B are in different buildings, and if there's a failover, I didn't want someone running to the wrong building. I also have our NMS PINGing both (via RMI IP address) to ensure the backup is available/reachable when needed. Currently, I'm using local auth on both. Everything is working, APs registered, clients using APs...life is grand.

I need to turn-up TACACS user auth and authenticate against ISE. I understand that ISE auth is not supported on the backup (or SNMP). I want to be able to keep my NMS PINGing the backup for health awareness, so I want separate hostnames. 

I'm thinking just to build two "Network Devices" in ISE with IP addresses of the WLCS SP, and in my WLCS config to source TACACS from the SP. When I build my TACACS config on the primary, it will write the same to the backup, and when a failure causes the flip to the "backup" WLCS B, it will authenticate to the other ISE Network Device (B) which will receive TACACS requests from WLCS B's SP interface, which will have the correct IP address...This way I keep my NMS polling both WLCS, and I can use TACACS to authenticate the active and my TACACS config on the backup will default to local on TACACS timeout (in case I want to console into him).

Would that work? Am I overthinking this? (Or under-thinking this)?

Thank you!!

Mike

 

6 Replies 6

marce1000
VIP
VIP

 

           - Note that TACACS is not supported on the standby controller.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

You can have two different OOB ip address assign to service ports of two WLC. You an use TACACS to source traffic use that interface IP
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#useoftheserviceport 

HTH
Rasika
*** Pls rate all useful responses ***

You can have two different OOB ip address assign to service ports of two WLC
How exactly would you do that @Rasika Nayanajith ?

Hi RIch,

I would leave service port to DHCP and reserved a fixed IP address on DHCP server for the mac address of the service port. In that way configuration on 9800 won't change (simply 'ip address dhcp' under service port)

HTH
Rasika

Michael Mertens
Level 1
Level 1

I did see where "TACACS is not supported on standby controller", but I'm trying to understand to what point:
a) Remote access using TACACS authentication is not supported b) you can have AAA defined using TACACS as primary auth, but will allow you to console in using secondary local auth c) TACACS configured on the primary won't be written to the backup, and therefore, if there's a switchover I'm going to be locked out...or what...I'm hoping b)

I'm wondering if my best approach is:
A) take off RMI + RP redundancy

B) Put on TACACS on my to-be primary (I can reload in 30 minutes) in case I get locked out from my TACACS config and need to reconfig something; or the reload doesn't failover to my backup where I might get locked out from a bad config

C) Source TACACS from SP as suggested...

D) Put back on RMI + RP redundancy.

Does that seem like a reasonable approach? One last question, at what point does the config on the primary get written to the backup?

Thanks for the continued help!

Mike




        >...I did see where "TACACS is not supported on standby controller",
   Ref : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_high_availability.html
    Look up all instances of TACACS with find in your browser (for extra insights)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Review Cisco Networking for a $25 gift card