ISE AD failover

Hi,
I have a ISE 1.1.3.124 VM operating in standalone mode that is authenticating devices against AD. The AD environment consists of multiple member servers, and while this is working fine, when the Domain controller that the ISE Displays it is connected to fails,
In normal operating mode under External Identity Sources -> Active Directory the management web page displays the following status:
"Connected to: mydc01.mydomain.com"
However when I shutdown the this domain controller, it displays the following status even there are more Domain Controllers in the network.
"Joined to Domain but Disconnected"
In the CLI config, I have added all of the Domain Controllers IP addresses using the "ip name-server" command
Now any authentications fail with the following message "24444 Active Directory operation has failed because of an unspecified error in the ISE"
Can the ISE be configured to look at more than 1 AD server?
Appreciate any help on this.

Hi David,
I am running VM.
"show version" output below.
Thanks,
Steve.
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.018
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: alxise01
Version information of installed applications
Cisco Identity Services Engine
Version      : 1.1.3.124
Build Date   : Thu Feb  7 17:55:38 2013
Install Date : Thu Mar 14 10:27:53 2013

Similar Messages

  • Ise failover test

    As part of an ISE implementation, I want to test ISE failover for Admin, MnT, and PSN personas.  Does anyone have an ISE failover test plan or ISE failover test best practices documentation to share?
    Thanks much,
    David Daverso

    Steps for Administration persona failover testing
    1. Stop ISE services on Primary Admin
    Primary Admin# application stop ise
    2. Log in to the Secondary Admin GUI and manually promote to Primary
    3. Wait 10-15 minutes before process is complete
    4. Verify ISE services are up on promoted Secondary Admin
    Secondary Admin# sh application status ise
    5. Promoted Primary Admin checks
    Deployment pages shows all nodes are green and in synch
    6. User testing to verify successful authentications and logging
    Note:
    After you promote your secondary Administration node to become the primary Administration
    node, you must reconfigure your scheduled Cisco ISE backups in the newly promoted primary
    Administration node
    because scheduled backups are not replicated from the primary to secondary Administration
    node.
    7. After step 6 testing is complete restore original Primary Admin
    8. Start ISE services on original Primary Admin
    Primary Admin# application start ise
    9. Verify ISE services are up on original Primary Admin
    Primary Admin# sh application status ise
    10. Promoted Primary Admin checks
    Deployment pages shows original Primary Admin green and in synch
    11. Stop ISE services on Promoted Primary Admin
    Secondary Admin# application stop ise
    12. Log in to the original Primary Admin GUI and manually promote to Primary
    13. Wait 10-15 minutes before process is complete
    14. Verify ISE services are up on original Primary Admin
    Primary Admin# sh application status ise
    15. Promoted Primary Admin checks
    Deployment pages shows all nodes are green and in synch
    16. User testing to verify successful authentications and logging
    Note:
    After you promote your secondary Administration node to become the primary Administration
    node, you
    must reconfigure your scheduled Cisco ISE backups in the newly promoted primary
    Administration node
    because scheduled backups are not replicated from the primary to secondary Administration
    node.
    17. Start ISE services on original Secondary Admin
    Secondary Admin# application start ise
    18. Verify ISE services are up on original Secondary Admin
    Secondary Admin# sh application status ise
    19. Primary Admin checks
    Deployment pages shows original Secondary Admin green and in synch
    20. User testing to verify successful authentications and logging

  • ISE Failover Device Licensing

    I am working on getting ISE licensing requirements put together for the upcoming budget. 
    I am confused on licensing for a failover appliance. Do we need to get another set of licenses for the failover appliance, or will the licenses for the primary device cover the failover?

    Hi,
    Prior to ISE Release 1.2, customers could only specify ISE licenses to be registered to a single ISE Administration Node (i.e., the Primary Administration Node). Now, ISE Release 1.2 delivers the capability to register ISE licenses to two Administration Nodes (i.e., Primary and Secondary Administration Nodes). The registration of an ISE license to the Primary Administration Node remains mandatory, but the option to register a Secondary Administrative Node is available.
    Reference link,
    http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/sales_tool_c96-729045.html

  • ISE 1.1.2 failover - Syncronization issue

    Hi everone,
    Scenário:
    I've deployed two Cisco ISE 1.1.2 nodes as follows:
    Node 1 as Primrary Admin, Policy Server and Monitoring
    Node 2 as Secondary Admin, Policy Server and Monitoring
    All configured roles works as expected.
    Problem:
    Once I promote the Node 2 (Secondary node) to become the Primary the problem takes place as described bellow:
    1- The Node 2 restarts the ISE Application and assumes the Primary Admin, Policy Server roles (but Monitoring role remains as Primary)
    2- The Node 1 restarts the ISE Application too and Secondary Admin, Policy Server roles (but Monitoring role remains as Secondaary)
    After the ISE Application becomes up in both nodes the syncronization status appear as NODE NOT REACHABLE.
    Does anyone faced this issue before, or have any idea about it?
    Thanks in advance.

    I may have misunderstood your problem, but.... for your first problem, are you expecting the Monitor node status to change when you promote node 2? You're only promoting the admin role, the monitor role will remain unchanged unless you choose to change which is primary monitor node too (totally separate).
    2nd problem. Sounds like certificate maybe? What are you using in the way of certs for the nodes to auth each other? Did you swap the self signed certs for instance between nodes? Changed certs recently and not delete old ones? I've seen old certs which seem to have been deleted hang around until a full reload.

  • ISE Guest Portal Failover For New Requests

    I have one controller and two ISE 1.2 nodes (primary and secondary)  for resiliency, not capacity.  Each ISE node has one interface for Management and one interface for Guest Portal.  PSN is active on both nodes.  The WLC chooses the ISE node (with fallback) for authentication.  For guest authentication, the user should be redirected to one of the two Guest Portals. What is the best method for choosing and correctly redirecting the user to the Guest Portal (including when one is down).  Is there another/simpler solution than a load-balancer for this scenario. Node Groups are for pending sessions and I need a solution for new sessions.
    Thanks.             

    You dont need to do that, once the WLC has deemed a PSN down, new mab requests are sent to the next psn in your radius list on the wlc, and the other psn will reply with its own hostname in the redirect url.

  • ISE failover between PSNs not working

    This has never worked for us. We have two Policy Service Nodes. But when the first goes down, clients are not getting authenticated through second.
    Even when first comes up, clients still don't get authenticated. Reason for this looks to be the absence of network devices. After reboot of the first PSN, its network devices list is empty, so we have to import the devices' list again. Why is the network device list empty after reboot of the primary PSN? Is this a known issue?

    Are your two psns also admin and mnt personas as well? I am just curious on how you can view the network device entries.
    I would recheck the database admin and user passwords, seems as if replication between these two nodes are not acting properly. Also did you install any patches?
    Thanks,
    Sent from Cisco Technical Support iPad App

  • ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

    Hi all.
    I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
    We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
    Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
    I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
    So I ask:
    What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
    Is there any Cisco documentation that talks about this?
    Possibly related:
    https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
    Justin

    Tim,
    Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
    For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
    modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
    modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
    reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
    The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
    PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
    Justin

  • DSC, SQL Server 2012 Enterprise sp2 x64, SQL Server Failover Cluster Install not succeeding

    Summary: DSC fails to fully install the SQL Server 2012 Failover Cluster, but the identical code snippet below run in powershell ise with administrator credentials works perfectly as does running the SQL server install interface.
    In order to develop DSC configurations, I have set up a Windows Server 2012 R2 failover cluster in VMware Workstation v10 consisting of 3 nodes.  All have the same Windows Server 2012 version and have been fully patched via Microsoft Updates. 
    The cluster properly fails over on command and the cluster validates.  Powershell 4.0 is being used as installed in windows.
    PDC
    Node1
    Node2
    The DSC script builds up the parameters to setup.exe for SQL Server.  Here is the cmd that gets built...
    $cmd2 = "C:\SOFTWARE\SQL\Setup.exe /Q /ACTION=InstallFailoverCluster /INSTANCENAME=MSSQLSERVER /INSTANCEID=MSSQLSERVER /IACCEPTSQLSERVERLICENSETERMS /UpdateEnabled=false /IndicateProgress=false /FEATURES=SQLEngine,FullText,SSMS,ADV_SSMS,BIDS,IS,BC,CONN,BOL /SECURITYMODE=SQL /SAPWD=password#1 /SQLSVCACCOUNT=SAASLAB1\sql_services /SQLSVCPASSWORD=password#1 /SQLSYSADMINACCOUNTS=`"SAASLAB1\sql_admin`" `"SAASLAB1\sql_services`" `"SAASLAB1\cubara01`" /AGTSVCACCOUNT=SAASLAB1\sql_services /AGTSVCPASSWORD=password#1 /ISSVCACCOUNT=SAASLAB1\sql_services /ISSVCPASSWORD=password#1 /ISSVCSTARTUPTYPE=Automatic /FAILOVERCLUSTERDISKS=MountRoot /FAILOVERCLUSTERGROUP='SQL Server (MSSQLSERVER)' /FAILOVERCLUSTERNETWORKNAME=SQLClusterLab1 /FAILOVERCLUSTERIPADDRESSES=`"IPv4;192.168.100.15;LAN;255.255.255.0`" /INSTALLSQLDATADIR=M:\SAN\SQLData\MSSQLSERVER /SQLUSERDBDIR=M:\SAN\SQLData\MSSQLSERVER /SQLUSERDBLOGDIR=M:\SAN\SQLLogs\MSSQLSERVER /SQLTEMPDBDIR=M:\SAN\SQLTempDB\MSSQLSERVER /SQLTEMPDBLOGDIR=M:\SAN\SQLTempDB\MSSQLSERVER /SQLBACKUPDIR=M:\SAN\Backups\MSSQLSERVER > C:\Logs\sqlInstall-log.txt "
    Invoke-Expression $cmd2
    When I run this specific command in Powershell ISE running as administrator, logged in as domain account that is in the Node1's administrators group and has domain administrative authority, it works perfectly fine and sets up the initial node properly.
    When I use the EXACT SAME code above pasted into my custom DSC resource, as a test with a known successful install, run with the same user as above, it does NOT completely install the cluster properly.  It still installs 17 applications
    related to SQL Server and seems to properly configure everything except the cluster.  The Failover Cluster Manager shows that the SQL Server Role will not come on line and the SQL Server Agent Role is not created. 
    The code is run on Node1 so the setup folder is local to Node1.
    The ConfigurationFile.ini files for the two types of installs are identical.
    Summary.txt does have issues..
    Feature:                       Database Engine Services
      Status:                        Failed: see logs for details
      Reason for failure:            An error occurred during the setup process of the feature.
      Next Step:                     Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
      Component name:                SQL Server Database Engine Services Instance Features
      Component error code:          0x86D8003A
      Error description:             The cluster resource 'SQL Server' could not be brought online.  Error: There was a failure to call cluster code from a provider. Exception message: Generic
    failure . Status code: 5023. Description: The group or resource is not in the correct state to perform the requested operation.  .
    It feels like this is a security issue with DSC or an issue with the setup in SQL Server, but please note I have granted administrators group and domain administrators authority.  The nodes were built with the same login.  Windows firewall
    is completely disabled.
    Please let me know if any more detail is required.

    Hi Lydia,
    Thanks for your interest and help.
    I tried "Option 3 (recommended)" and that did not help.
    The issue I encounter with the fail-over cluster only occurs when trying to install with DSC!
    Using the SQL Server Install wizard, Command Prompt and even in Powershell by invoking the setup.exe all work perfectly.
    So, to reiterate, this issue only occurs while running in the context of DSC.
    I am using the same domain login with Domain Admin Security and locally the account has Administrators group credentials.  The SQL Server Service account also has Administrators Group Credentials.

  • ISE 1.2 Authentication Failures at First time Connection

    Hi,
     I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network.  hopefully I'm still in open mode :)
    As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
    This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
    The phones which are not Cisco phones authenticated with MD5 (a simple username and pass  ) i think the problem should not related with the auth protocol.
    Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
    or with the same the ISE, why because i have almost the same behavior for all end-devices.
    I kindly remain your comments...
    2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    S301#
    2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
    2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    S301#
    2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
    S301#
    2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
    2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    Regards
    T.C

    I'm not using authentication method with certificates for none end-devices
    Workstations with the windows default authentication protocol EAP/MSCHAPv2
    In front of them there are non Cisco IP-phones with auth. method EAP/MD5
    Finally I also have some printers again with option EAP/MD5
    For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
    What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
    The misunderstanding points are 3
    Why there is so much delay for all devices to authenticate?
    Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
    I have noticed randomly some devices one moment to succeed and the next moment to failed
    So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
    Port config
    switchport access vlan xxx
     switchport mode access
     switchport voice vlan yyy
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan xxx
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-domain
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     no cdp enable
     spanning-tree portfast
    result template
    Switch#sh auth sess int g1/0/46
                Interface:  GigabitEthernet1/0/46
              MAC Address:  xxxx.xxxx.xxxx
               IP Address:  xx.xxx.xx.xxx
                User-Name:  xxxxxxxxxxxx
                   Status:  Authz Failed
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A114D0A00001972016208E1
          Acct Session ID:  0x00001BB7
                   Handle:  0x6D0009B6
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Failed over

  • ISE 1.2 step-by-step patch or direct to latest....and IPEP does it get any patches?

    I am currently running ISE 1.1.3u1
    Since I will basically have to redo my IPEPs to renew our SSL Certs, I am planning to just move up to 1.2.
    Questions I have are:
    Is there not a FULL install for 1.2u"latest"?
    From my understanding I should be able to upgrade direct from 1.1.3 to 1.2 on my admin/policy/MnT node (VM) but my IPEPs will have to be totally recreated to move to 1.2. Is this correct?
    Then once I am on 1.2, can I just jump to the latest update, or do I have to install each update one by one?
    Something I just read made me think that the IPEPs won't be able to take the 1.2 patches, as in they will be stuck at 1.2.0.899 with no updates, is this correct?

    This will definitely be my endgame.
    But since this code just came out, I am not willing to jump direct to it, yet.
    Also, I haven't found much documentation on how to make this transition, i.e., exactly what settings on the ASA will make it replace the IPN, and if any changes need to be made on the Admin/Policy/MnT server.
    Then as soon as I make that transition, I will be able to rebuild the 3315 (have 2) to be failover between the two locations.

  • CIsco ISE 1.2 to 1.3 upgrade

    I am planning for an ISE upgrade from version 1.2 to 1.3. I have two nodes (primary admin, secondary monitoring (ISE 3355) in one box and secondary admin, primary monitoring in the other (3315).) and 8 PSNs (all 3315).
    My question is after upgrading when we are testing for failover of the HA pairs in both the nodes…are we going to face any technical complications because of the different model numbers. All nodes (2 +8= 10) are in different locations.

    You must first upgrade the secondary Administration node to Release 1.3. For example, if you have a deployment set up as shown in the following figure, with one primary Administration node (node A), one secondary Administration node (node B), one Inline Posture node (IPN) (node C), and four Policy Service nodes (PSNs) (node D, node E, node F, and node G), one primary Monitoring node ( node H), and one secondary Monitoring node (node I), you can proceed with the following upgrade procedure.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_chapter_01.html#ID20
    Before You Begin : http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter_011.html

  • Cisco ISE Deployment

    Dears,
    We have 2  ISE server. I configured wired, wireless,vpn, guest user authentication from ISE server. All of them are normal working. Both of ISE server have same Image.(ver 1.2) I deployed ISE servers as HA.  I register second ISE server at primary ISE server.  I attached the configuration files. 
    I want one ISE device is primary( Administration, Monitoring and Policy are active in primary ISE) and the other ISE server  is backup or standby. (Administration, Monitoring and Policy are standby). When the Primary ISE server is  going to down then all AAA process is going  through the secondary ISE server( it is like redundancy on  ASA) 
    Is it possible to configure? If yes how I do this configuration? 
    Thank for your helping.

    ISE 1.2 does not have an Automatic Failover for the Admin Nodes.  If the primary node goes down, you have to manually promote the secondary node.
    Until you promote the secondary, the deployment has very serious limitations:
    So, you see, there is no true HA with Automatic Failover for ISE 1.2.You have to have both ISE servers on anyway and the Monitoring Persona is the only one that does support Automatic Failover, so it really does make sense to deploy your nodes as noted here:
    Node1:  Admin (Primary), Monitoring (Secondary), Policy Service
    Node2:  Admin (Secondary), Monitoring (Primary), Policy Service
    The notes I referenced can be found in the ISE 1.2 User Guide.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • OpenLdap Cisco ISE 1.2

    Is OpenLdap supported by Cisco ISE 1.2?
    When I try "Test bind to server" I get results so the connection seems fine. However when I set up the policies for a basic wlan with wpa2 authentication it says "Invalid password". When I put my username in the attributes folder it finds my id so I'm sure the link is working fine.

    Cisco ISE always uses the primary LDAP  server to obtain groups and attributes for use in authorization policies  from the Admin portal, so the  primary LDAP server must be accessible when you configure these items.  Cisco ISE uses the secondary LDAP server only for authentications and  authorizations at run time, according to the failover configuration. 
    Cisco ISE retains a list of  open LDAP connections (including the binding information) for each LDAP  server that is configured in Cisco  ISE. During the authentication process, the connection manager attempts  to find an open connection from the pool. If an open connection does not  exist, a new one is opened.
    If the LDAP server closed the  connection, the connection manager reports an error during the first  call to search the directory, and tries to renew the connection. After  the authentication process is complete, the connection manager releases  the connection.
    Please check the  below link which can helpful for you:
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ui_reference_administration.html#wpxref71565

  • ISE does not register nodes - (blank pop-up window)

    Hello everyone !
    There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
    When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The  result of attempting to register this node is the blank warning pop-up  window, progress of registration stops without registration of policy  node (screenshot in attachment). The same
    thing  happens when I try to register a secondary monitoring nodes (that was  removed earlier, like in the case with police node). I  also attach a portion of log file taken from admin node (CLI) in the  moment of attempts registration of police / monitoring nodes.
    In the DNS is ok (defined in both side), all certificates are valid.
    Maybe somebody has already found a similar mistake ?
    Sincerely,
    Andrey

    Please check the following Prerequisites
    The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
    •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
    •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
    •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
    •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
    •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
    •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
    •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

  • About ISE 802.1X question!

    Today my colleagues and I deploy ISE found the following question.
    Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
    Why is that?
    Two ise ,Distributed Deployment,
    I test redundancy。I closed the main equipment,The following error:
    LOG:==============================================
    The normal time:
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  172.30.60.11
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000410155DA40
          Acct Session ID:  0x0000006C
                   Handle:  0x73000041
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  172.30.60.10
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000400154E52C
          Acct Session ID:  0x0000006D
                   Handle:  0x91000040
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
    When there is a problem:
    6509-vss#
    Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
    Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
    Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#
    6509-vss(config-if)#
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#end
    6509-vss#show
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
    6509-vss#show authentication
    Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
    6509-vss#show authentication sessions int
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  Unknown
                User-Name:  0021cc68a63e
                   Status:  Running
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004E01CCCA18
          Acct Session ID:  0x00000086
                   Handle:  0x7300004E
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Running
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  Unknown
                User-Name:  shenshu
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004D01CCB640
          Acct Session ID:  0x00000089
                   Handle:  0xB400004D
    Runnable methods list:
           Method   State
           mab      Not run
           dot1x    Authc Success
    LOG:============================================

    Please consider the order of authnetication method fail from here
    http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028

Maybe you are looking for

  • [SOLVED] Bumblebee problems (Failed to assign any connected ...)

    Hello everybody. I'm having this exact issue: https://wiki.archlinux.org/index.php/Bu … X_screen_0. Unfortunately, the provided solution does not help in my case. I'm pretty much out of ideas now, so I'll post the configs and output of what I've got

  • REUSE_ALV_GRID_DISPLAY for Excel display

    Hi Experts,                       I am using FM  'REUSE_ALV_GRID_DISPLAY'  for ALV reports. In my system I am using Excel 97 version and I could see the output in excel format when I press Microsoft Excel (ctrlShiftF7). But my user is using version 2

  • Skipping, stuttering Flash Video

    VIdeos on CBS and FOX, etc skip or Stutter. I researched this and Microsoft found that if the media buffers video but never loads the clip or loads the clip but the video stutters then your DSL/cable providers using Network Address Translation (NAT)

  • Why would firefox be using so much memory that the application itself freezes to the point where I have to force the program to end?

    For the past few days, I've been doing research for a presentation that I am doing for college. As I've been using Firefox, the program freezes to the point where I have to force the program to terminate. I have a computer with 8 gigs of ram and an i

  • One album divided into many parts

    Some of my songs in iTunes that should be listed under a single album title are divided into several albums(all with the same album title). I've gone into "get info" and made sure that every listing is spelled, punctuated and phrased the same way, bu