ISE 1.3 psn redundancy

Similar Questions

• ISE-impossible to register a node

  Hi all

  We strive to integrate a new node ISE as a PSN for our current configuration. When we try to register, we get below error messages. -What someone faced same question. Also need clarity on these error messages.

  When you try to record with the IP address that we get the error message as below:

  Cannot authenticate ISE secondary_ise_name. Please check the server and the configuration of the CA certificate and try again.

  When you try to record with the domain name FULL we get the error message as below:

  FULL "XYZ.local.com", which is not resolved domain name. Please check your DNS configuration.

  If need to clarity if it is a DNS issue or certificate.

  Kind regards

  Avinash

  Hello

  Please ensure that your FULL domain name can be resolved by your ISE.

  For this you must add the entry for your server's DNS.

• How is - ISE chooses what IP put in URL redirection response?

  Hello

  does anyone know how ISE chooses what IP put in URL redirection response if it has more than one interface with an IP address and all interfaces are enabled in the configuration of the portal?

  I have a single ISE 1.3 PSN with all four interfaces configured, enabled, each unique VIRTUAL local network and each with a unique IP address.

  In the configuration of the CWA portal, all four interfaces are enabled.

  Clients wired to connect to n, n sends RADIUS request to ISE, ISE responds with a RADIUS response including the redirect URL parameter, which specifies the URL redirect web. The ISE configuration uses 'IP' in the URL.

  My question is how ISE to choose which of its four interfaces to put in this URL? Is it always the same interface RADIUS packets received on? Or he always chooses the first activated interface Portal? Or is there another logic? Configurable or unconfigurable?

  Thank you!

  ISE uses the first interface enabled for this site, so if want to use a specific interface, then only activate this interface.  If the interface is GE0, default behavior is to redirect the ip value domain FULL of the node name.  If interface other than GE0, then the default behavior is to return to the IP address of the associated interface.

  Aliases can be configured for each interface using the command "ip host" CLI to associate a domain FULL name/host name to the IP address of a given interface.  Once configured, ISE will return that value instead of the IP address of redirection.  This is critical if want to avoid trust certificate warning on the clients that connect.

  Do not forget that the certificate assigned to the interface includes the correct field FULL name or possibly wilcard value in fields CN or SAN to avoid warnings from cert.

• Deployment of Cisco ISE version 1.2.1.198 distribution problem

  Dear all, I have 3 ISE (node Admin, PSN & MNT) running on the 1.2.1.198 version with no patch. My node MNT is not sync. with the admin node. I need to apply for a certificate, but get error. I can't remove the record it. I tried to push the patch 3 Installing even on the Admin node, but does not push to the node MNT or PSN. I enclose the screenshots for your reference. Please let me know if you need any input on my side.

  First, you must configure another node from ISE to run the 'Monitoring' character before you can unregister this node. A deployment of ISE requires at least 1 Director and 1 followed by persona. If for example, you can go to your admin node and turn the track persona and then try to cancel the registration of this node again.

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE v1.2 patch PSN 5 down, deleted endpoint identity

  Please refer to the diagram. I'll make it simple and clear.

  Patch version 1.2 of ISE 5

  3xPOL (2xVirtual devices)

  1 LUN

  1 Admin

  Since Janauray the 8th we have problems with ISE. problem encounter were end of endpoint profiling devices like (Cisco 1140 AP) but the devices is a portable Motorola running Windows CE. Also the mac address of Motorola deleted endpoint identity, every 4 to 6 hours, and we need to put the mac address manually to start the authentication to work.

  We open a cisco with TAC. and TAC advice there is a bug in the software and must be upgraded to patch 17 or be upgraded to 1.4 as EHT it more stable than version 2.

  a few days later after one of the node POL3 (in the language of cisco PSN) went down. and one of our clinets SSID WiFi lost the connection that they were unable to authenticate (security WLC are on POL3 with ISE group created AD HOC Network devices with filtering MAC.) to solve the problem, we change the WLC AAA to POL1 (PSN) security to make it work. given that his work.

  later the next day an another POL2 (up/down beat) other clients of SSID (DATA) are starting to declare connection drop. change us again the WLC AAA authentication ip in the direction to POL1 since his works very well.

  now on 3 only 1 POL's work and three SSIDS end clinet is authenciated by the ip address of this POL.

  We arrived at cisco help, they looked in this and said POL node are not syn. so EHT needs a reboot to fix this. US management decided if this requires a reboot to fix theye why do not upgrade us to version 1.4 EHT. Cisco TAC mention upgrade can take up to 3 to 4 hours, or maybe more depends on the server. Now we want to go to upgrade but our network structure is complex, we do not want to lose the ise for 3 to 4 hours. We are a hospital and all verification devices/doctor patients computers/handheld devices/records are authenticated through ISE. We using ISE mainly for the wireless.

  Now, it's the background story. now, I have a question can reload us the POL nodes 1 by 1 to resolve this problem. I also noticed there is another work around, we had another node ISE from another hospital of trust in our data center. It is a virtual appliance (ise - psn.web.com) in our controller ip address SSID (WLC) one of our leading hospitals of authentication setting two AAA is POL1 and next is the ip address of the ISE - PSN. WEB.COM if we recharge our ise and wlc, we note the ip address of the ISE - PSN. WEB.COM will be this keep the SSID client remains connected.

  Please let know us that we are in a desperate situation where we need advice to minumis downtime of our patient critical application that are connected wirelessly.

  Hi there and sorry you are in such a crappy situation. It's no funny!

  To answer your questions:

  #1. I would certainly recommend the upgrade to a later version of ISE or at least get your current version on the last patch!

  #2. Yes, you can reload the Ssnp one at a time with zero and without interruption of service. Your WLC detects that your first PSN is down and then move to the second that is configured under the SSID > AAA servers. It is very important that your PSN is in a node group. This way if the PSN-1 goes down, none of the sessions that have been in the middle of the AAA process will get absorbed by another node in node group. If the PSN is not in a group of clients node trying to authenticate to the network at the time of charging will have to start again.

  #3. Once that clients are authenticated and authorized their rail traffic is no longer the PSN. So, reload the PSN will not affect clients that are already on the network. However, if a customer needs to re-auth (in due to inactivity, slowed down or re-auth timer) then a job THAT PSN is necessary, otherwise the AAA session will fail.

  #4. Certainly, you can set up a third NHPS under your SSID and use your PSN which is in another hospital. As long as this node is located in the same deployment of ISE and is synchronized with the PAN then you should be good to go. You can quickly test it by creating a temporary SSID > do as PSN its main Radius Server > test it with a test computer.

  I hope this helps!

  Thank you for evaluating useful messages!

• Redundant NIC ISE (SNS-3415-K9)

  Hi all.

  We can connect a SNS-3415-K9 (ISE) to VSS switches. We have a server (SNS-3415-K9) ise can be connected an interface (g1) to switch1 and an other interface (g2) at the switch2 for redundant and load balancing...

  Not in a link aggregation Group (LAG) or multichassi etherchannel as your question implies.

  You can use other ports Gigabit Ethernet beyond Gi0 but they each have a separate IP address. There are different ways you can use these and other restrictions as well (e.g. Admin PAN is restricted to the Gi0).

  The details are laid out in a table here:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-0/installation_guide...

  There are a few Cisco Live presentations, you can look for some design scenarios. I highly recommend Craig Hyps BRKSEC-3699 ISE for scale and high availability design

  https://www.ciscolive.com/online/connect/sessionDetail.WW?SESSION_ID=837...

• ISE PSN return back.

  Hello

  I have 2 ISE 1.2.1.189

  I configured ISE1 (192.168.1.1) as primary for PAN, MNT and PSN and it work very well

  and ISE2 (192.168.2.1) as secondary PAN, MNT and PSN

  Under normal circumstances, users are authenticated on ISE1

  My goal:

  If ISE1 is not available, the user must authenticate on ISE2

  Then, as soon as the ISE1 will again be available, user needs to be authenticated again on ISE1

  I have it configured, but it does not work (see below my configuration)

  dead-criteria 5 tent 3 times RADIUS server

  RADIUS-server host 192.168.1.1 auth-port 1812 1813 key Password123 acct-port

  RADIUS-server host 192.168.2.1 auth-port 1812 1813 key Password123 acct-port

  When the ISE1 will again be available, user stay authenticated on ISE2

  How to configure the switch to achieve my goal

  Help, please

  Thanks in advance

  Authenticated sessions will not be affected by living/dead RADIUS servers.  If ise1 was dead and that the user has been authenticated through ise2, when ise1 is alive still it won't take no possession of authenticated sessions, but the next time that a device/user is authenticated, it will use ise1 as long as it's the first RADIUS server in the list.

• Right way to restart the ISE PSN node in a distributed deployment

  Hi all

  Two of my ISE nodes (in a 1.2 8 node deployment) have expired admin CLI past (I know I'm stupid!)

  One is the secondary node MnT and one is a PSN node (1 of 4).

  I have some information on what I need to do to get a new password, but I have to unregister the nodes first or can I restart them.

  Will be my other three nodes PSN automatically re - authenticate users on PSN restart node or should I ask the downtime?

  Thanks for any help in advance

  Mark

  Right, shouldn't be a problem.  You certainly wouldn't want to remove it - you'd only if you need to reimage or something like that.

  Just as a tip, if you speak only use wireless cases, you could always disable this particular NHP since authentication Radius and Radius Accounting servers in the world (not over the WLAN).  If you make a change to the WLAN, it will "bounce" the WLAN.  But, if globally disable you "admin" that particular NHP, it will keep just the WLC as NHPS by up to that turn you it on again.

  Tim

• That is the accounting Radius WLC in distributed deployment of ISE server, this is the PSN or MnT node

  Hello

  on the WLC configuration for Management Server accounts Radius in distributed deployment of ISE, what server is the radius, the Service account management policy one or several nodes or the nodes in control?

  As always, appreciate your reply.

  Mike

  Hi Mike,.

  The WLC must be configured to send authentication and accounting for the PSN. Monitoring nodes are (among other functions) where newspapers PSN are transmitted to the.

  see you soon,

  SEB.

• Redirect ISE CWA redundancy

  Hello

  If in an authorization profile CWA IP address option is used for redirection, how will this affect the redundancy? For example in my implementation with 2 devices of ISE on the head node of the Admin the CWA profile is configured with an IP address of x.x.x.110 which is the address of the main unit ISE. When the primary hardware failure how the handle of the secondary unit above will result in the ip address of x.x.x.110 then will be unavailable and the new ip address must be x.x.x.109...?

  If you check this box and set an IP address manually, then all CWA requests will go to this host/IP name. If you want to have redundancy then you should leave this box unchecked. This will allow ISE to use the FQDN of the Radius server that currently this SSID.

  I hope this helps!

  Thank you for evaluating useful messages!

• 1.2 of the ISE and made maximum PSN supported in my Persona config

  Hello people, I am setting up a way large-scale distributed of ISE and I was wondering if anyone could tell me what the maximum number of PSN is allowed in this configuration.   I was reading through an older training document with version 1.1 and suggested 5, that's why I wonder if the specs changed on 1.2 but I can't find them anywhere to practice.

  I have a large virtual machine running the MAIN admin character who is also secondary to my report & follow-up in my main data centre.

  In another State (bound to 10G) is another large VM acting as my character high school admin with primary oversight & reports.

  Across several States I want to have multiple Ssnp through geographic patterns of each State, but I don't know if I can put across enough with my current version of 1.2 and my persona config Ssnp listed above.    I need about 12 to 15 Ssnp.

  I was wondering if I need two VMs more out of my control as a node in DC1 and secondary surveillance in DC2 for more extensibility PSN.

  Any help would be greatly appreciated.

  -Thank you

  As Marvin suggested, I would look at using 1.3 at this point, unless you have any specific concerns of this version and I really want to stay with 1.2. That being said, here are my recommendations/comments:

  -Two v1.2 and v1.3 fits in fact up to 40 knots PSN

  -If none of the nodes of your PSN will be put in the same place and are layer 2 adjacent I recommend putting them in a group node and behind a load balancer. If you do not have a load balancer, I would always put them in a node group. At this time a node group can have up to 10 PSN

  -If you have 10-15 knots PSN then you should spend 2 nodes for specifically for the character of monitoring

  -The period of maximum round trip between all nodes must not exceed 200 ms

  For more information, you can always reference the "Network deployment" section in the installation guide material for ISE:

  v1.3

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html

  v1.2

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide/ise_ig/ise_deploy.html

  Thank you for evaluating useful messages!

• ISE Cisco 3395 NIC Teaming/redundancy

  Is it possible to implement the consolidation of NETWORK cards on a 3395, I see that it is available on the SNS 3400 series? However, I was unable to locate any information about NIC grouping for purposes of redundancy on of the 3395. This feature is taken in charge, and if so, how I would approach him allowing of correctly? Thank you very much for the help in advance.

  Hello. For now, ISE does not support the NIC teaming/pipe of any kind. It asked that several times so I hope that Cisco will implement in a future version.

  Thank you for evaluating useful messages!

• ISE PSN node will not be joining the cluster

  Hi all

  Has anyone seen a problem where an NHP cannot join the cluster?

  We join node of PSN

  -Node is saved successfully (current synchronization)

  -1 hour later - node replication failure.

  -Replication synchronization failed because the secondary database is down

  I have a client where admin node and PSN are separated by the firewall.

  We let in two directions

  Admin <-->PSN

  ICMP

  HTTPS

  1521

  Firewall not showing drops.

  DNS and NTP are ok.

  Current topology is 1 NHP, 1 Admin node.

  Works very well in our test lab, but not clients environmnet.

  See you soon

  Peter.

  Thank you for the update we and good work on the search for the solution! You should probably mark it as resolved now

  In addition, it is quite rare (at least for me) for nodes of ISE to be separated by firewalls. There are a lot of ports/protocols that must be opened between them is usually more of a pain to manage. In addition, sometimes ports will change too. For example, the fueling port agent has been changed not too long ago...

  Thanks for the note!

• ISE - maximum number of endpoints PSN supported

  In a distributed solution, what is the maximum number of endpoints that can be supported only PSN?

  If possible, please provide a link to the documentation that supports your answer.

  SNS 3415 can support up to 5000 concurrent endpoints and 3495 can support up to 20000 concurrent endpoints

• Portal captive ISE &amp; redundancy

  I have a guest SSID configured in my WLC. I have also 2 devices of ISE (primary/secondary) that I use to make the web authentication on my guest SSID.

  In the config of my SSID (Security / Layer 3 / Web strategy), I chose "Web Auth Type: external ' and I had to enter the URL of my ISE server. I've used primary EHT but if the primary fails, I have to manually change this URL to the secondary for web auth to continue working. How can I automate this? Is there a way to set up a virtual (like the CASE of the NAC) IP address for my 2 ISE?

  Thank you

  The best way around this is to use the central web authentication feature. So that redirect requests are transmitted from the ISE node which is available and send the av pair to redirect the user.

  Have you considered this option?

  Thank you

  Tarik Admani
  * Please note the useful messages *.