ISE AD failover
Hi,
I have a ISE 1.1.3.124 VM operating in standalone mode that is authenticating devices against AD. The AD environment consists of multiple member servers, and while this is working fine, when the Domain controller that the ISE Displays it is connected to fails,
In normal operating mode under External Identity Sources -> Active Directory the management web page displays the following status:
"Connected to: mydc01.mydomain.com"
However when I shutdown the this domain controller, it displays the following status even there are more Domain Controllers in the network.
"Joined to Domain but Disconnected"
In the CLI config, I have added all of the Domain Controllers IP addresses using the "ip name-server" command
Now any authentications fail with the following message "24444 Active Directory operation has failed because of an unspecified error in the ISE"
Can the ISE be configured to look at more than 1 AD server?
Appreciate any help on this.
Hi David,
I am running VM.
"show version" output below.
Thanks,
Steve.
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.018
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: alxise01
Version information of installed applications
Cisco Identity Services Engine
Version : 1.1.3.124
Build Date : Thu Feb 7 17:55:38 2013
Install Date : Thu Mar 14 10:27:53 2013
Similar Messages
-
As part of an ISE implementation, I want to test ISE failover for Admin, MnT, and PSN personas. Does anyone have an ISE failover test plan or ISE failover test best practices documentation to share?
Thanks much,
David DaversoSteps for Administration persona failover testing
1. Stop ISE services on Primary Admin
Primary Admin# application stop ise
2. Log in to the Secondary Admin GUI and manually promote to Primary
3. Wait 10-15 minutes before process is complete
4. Verify ISE services are up on promoted Secondary Admin
Secondary Admin# sh application status ise
5. Promoted Primary Admin checks
Deployment pages shows all nodes are green and in synch
6. User testing to verify successful authentications and logging
Note:
After you promote your secondary Administration node to become the primary Administration
node, you must reconfigure your scheduled Cisco ISE backups in the newly promoted primary
Administration node
because scheduled backups are not replicated from the primary to secondary Administration
node.
7. After step 6 testing is complete restore original Primary Admin
8. Start ISE services on original Primary Admin
Primary Admin# application start ise
9. Verify ISE services are up on original Primary Admin
Primary Admin# sh application status ise
10. Promoted Primary Admin checks
Deployment pages shows original Primary Admin green and in synch
11. Stop ISE services on Promoted Primary Admin
Secondary Admin# application stop ise
12. Log in to the original Primary Admin GUI and manually promote to Primary
13. Wait 10-15 minutes before process is complete
14. Verify ISE services are up on original Primary Admin
Primary Admin# sh application status ise
15. Promoted Primary Admin checks
Deployment pages shows all nodes are green and in synch
16. User testing to verify successful authentications and logging
Note:
After you promote your secondary Administration node to become the primary Administration
node, you
must reconfigure your scheduled Cisco ISE backups in the newly promoted primary
Administration node
because scheduled backups are not replicated from the primary to secondary Administration
node.
17. Start ISE services on original Secondary Admin
Secondary Admin# application start ise
18. Verify ISE services are up on original Secondary Admin
Secondary Admin# sh application status ise
19. Primary Admin checks
Deployment pages shows original Secondary Admin green and in synch
20. User testing to verify successful authentications and logging -
I am working on getting ISE licensing requirements put together for the upcoming budget.
I am confused on licensing for a failover appliance. Do we need to get another set of licenses for the failover appliance, or will the licenses for the primary device cover the failover?Hi,
Prior to ISE Release 1.2, customers could only specify ISE licenses to be registered to a single ISE Administration Node (i.e., the Primary Administration Node). Now, ISE Release 1.2 delivers the capability to register ISE licenses to two Administration Nodes (i.e., Primary and Secondary Administration Nodes). The registration of an ISE license to the Primary Administration Node remains mandatory, but the option to register a Secondary Administrative Node is available.
Reference link,
http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/sales_tool_c96-729045.html -
ISE 1.1.2 failover - Syncronization issue
Hi everone,
Scenário:
I've deployed two Cisco ISE 1.1.2 nodes as follows:
Node 1 as Primrary Admin, Policy Server and Monitoring
Node 2 as Secondary Admin, Policy Server and Monitoring
All configured roles works as expected.
Problem:
Once I promote the Node 2 (Secondary node) to become the Primary the problem takes place as described bellow:
1- The Node 2 restarts the ISE Application and assumes the Primary Admin, Policy Server roles (but Monitoring role remains as Primary)
2- The Node 1 restarts the ISE Application too and Secondary Admin, Policy Server roles (but Monitoring role remains as Secondaary)
After the ISE Application becomes up in both nodes the syncronization status appear as NODE NOT REACHABLE.
Does anyone faced this issue before, or have any idea about it?
Thanks in advance.I may have misunderstood your problem, but.... for your first problem, are you expecting the Monitor node status to change when you promote node 2? You're only promoting the admin role, the monitor role will remain unchanged unless you choose to change which is primary monitor node too (totally separate).
2nd problem. Sounds like certificate maybe? What are you using in the way of certs for the nodes to auth each other? Did you swap the self signed certs for instance between nodes? Changed certs recently and not delete old ones? I've seen old certs which seem to have been deleted hang around until a full reload. -
ISE Guest Portal Failover For New Requests
I have one controller and two ISE 1.2 nodes (primary and secondary) for resiliency, not capacity. Each ISE node has one interface for Management and one interface for Guest Portal. PSN is active on both nodes. The WLC chooses the ISE node (with fallback) for authentication. For guest authentication, the user should be redirected to one of the two Guest Portals. What is the best method for choosing and correctly redirecting the user to the Guest Portal (including when one is down). Is there another/simpler solution than a load-balancer for this scenario. Node Groups are for pending sessions and I need a solution for new sessions.
Thanks.You dont need to do that, once the WLC has deemed a PSN down, new mab requests are sent to the next psn in your radius list on the wlc, and the other psn will reply with its own hostname in the redirect url.
-
ISE failover between PSNs not working
This has never worked for us. We have two Policy Service Nodes. But when the first goes down, clients are not getting authenticated through second.
Even when first comes up, clients still don't get authenticated. Reason for this looks to be the absence of network devices. After reboot of the first PSN, its network devices list is empty, so we have to import the devices' list again. Why is the network device list empty after reboot of the primary PSN? Is this a known issue?Are your two psns also admin and mnt personas as well? I am just curious on how you can view the network device entries.
I would recheck the database admin and user passwords, seems as if replication between these two nodes are not acting properly. Also did you install any patches?
Thanks,
Sent from Cisco Technical Support iPad App -
ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired
Hi all.
I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
So I ask:
What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
Is there any Cisco documentation that talks about this?
Possibly related:
https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
JustinTim,
Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
Justin -
Summary: DSC fails to fully install the SQL Server 2012 Failover Cluster, but the identical code snippet below run in powershell ise with administrator credentials works perfectly as does running the SQL server install interface.
In order to develop DSC configurations, I have set up a Windows Server 2012 R2 failover cluster in VMware Workstation v10 consisting of 3 nodes. All have the same Windows Server 2012 version and have been fully patched via Microsoft Updates.
The cluster properly fails over on command and the cluster validates. Powershell 4.0 is being used as installed in windows.
PDC
Node1
Node2
The DSC script builds up the parameters to setup.exe for SQL Server. Here is the cmd that gets built...
$cmd2 = "C:\SOFTWARE\SQL\Setup.exe /Q /ACTION=InstallFailoverCluster /INSTANCENAME=MSSQLSERVER /INSTANCEID=MSSQLSERVER /IACCEPTSQLSERVERLICENSETERMS /UpdateEnabled=false /IndicateProgress=false /FEATURES=SQLEngine,FullText,SSMS,ADV_SSMS,BIDS,IS,BC,CONN,BOL /SECURITYMODE=SQL /SAPWD=password#1 /SQLSVCACCOUNT=SAASLAB1\sql_services /SQLSVCPASSWORD=password#1 /SQLSYSADMINACCOUNTS=`"SAASLAB1\sql_admin`" `"SAASLAB1\sql_services`" `"SAASLAB1\cubara01`" /AGTSVCACCOUNT=SAASLAB1\sql_services /AGTSVCPASSWORD=password#1 /ISSVCACCOUNT=SAASLAB1\sql_services /ISSVCPASSWORD=password#1 /ISSVCSTARTUPTYPE=Automatic /FAILOVERCLUSTERDISKS=MountRoot /FAILOVERCLUSTERGROUP='SQL Server (MSSQLSERVER)' /FAILOVERCLUSTERNETWORKNAME=SQLClusterLab1 /FAILOVERCLUSTERIPADDRESSES=`"IPv4;192.168.100.15;LAN;255.255.255.0`" /INSTALLSQLDATADIR=M:\SAN\SQLData\MSSQLSERVER /SQLUSERDBDIR=M:\SAN\SQLData\MSSQLSERVER /SQLUSERDBLOGDIR=M:\SAN\SQLLogs\MSSQLSERVER /SQLTEMPDBDIR=M:\SAN\SQLTempDB\MSSQLSERVER /SQLTEMPDBLOGDIR=M:\SAN\SQLTempDB\MSSQLSERVER /SQLBACKUPDIR=M:\SAN\Backups\MSSQLSERVER > C:\Logs\sqlInstall-log.txt "
Invoke-Expression $cmd2
When I run this specific command in Powershell ISE running as administrator, logged in as domain account that is in the Node1's administrators group and has domain administrative authority, it works perfectly fine and sets up the initial node properly.
When I use the EXACT SAME code above pasted into my custom DSC resource, as a test with a known successful install, run with the same user as above, it does NOT completely install the cluster properly. It still installs 17 applications
related to SQL Server and seems to properly configure everything except the cluster. The Failover Cluster Manager shows that the SQL Server Role will not come on line and the SQL Server Agent Role is not created.
The code is run on Node1 so the setup folder is local to Node1.
The ConfigurationFile.ini files for the two types of installs are identical.
Summary.txt does have issues..
Feature: Database Engine Services
Status: Failed: see logs for details
Reason for failure: An error occurred during the setup process of the feature.
Next Step: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x86D8003A
Error description: The cluster resource 'SQL Server' could not be brought online. Error: There was a failure to call cluster code from a provider. Exception message: Generic
failure . Status code: 5023. Description: The group or resource is not in the correct state to perform the requested operation. .
It feels like this is a security issue with DSC or an issue with the setup in SQL Server, but please note I have granted administrators group and domain administrators authority. The nodes were built with the same login. Windows firewall
is completely disabled.
Please let me know if any more detail is required.Hi Lydia,
Thanks for your interest and help.
I tried "Option 3 (recommended)" and that did not help.
The issue I encounter with the fail-over cluster only occurs when trying to install with DSC!
Using the SQL Server Install wizard, Command Prompt and even in Powershell by invoking the setup.exe all work perfectly.
So, to reiterate, this issue only occurs while running in the context of DSC.
I am using the same domain login with Domain Admin Security and locally the account has Administrators group credentials. The SQL Server Service account also has Administrators Group Credentials. -
ISE 1.2 Authentication Failures at First time Connection
Hi,
I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network. hopefully I'm still in open mode :)
As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
The phones which are not Cisco phones authenticated with MD5 (a simple username and pass ) i think the problem should not related with the auth protocol.
Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
or with the same the ISE, why because i have almost the same behavior for all end-devices.
I kindly remain your comments...
2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
S301#
2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
S301#
2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
S301#
2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
Regards
T.CI'm not using authentication method with certificates for none end-devices
Workstations with the windows default authentication protocol EAP/MSCHAPv2
In front of them there are non Cisco IP-phones with auth. method EAP/MD5
Finally I also have some printers again with option EAP/MD5
For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
The misunderstanding points are 3
Why there is so much delay for all devices to authenticate?
Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
I have noticed randomly some devices one moment to succeed and the next moment to failed
So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
Port config
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
result template
Switch#sh auth sess int g1/0/46
Interface: GigabitEthernet1/0/46
MAC Address: xxxx.xxxx.xxxx
IP Address: xx.xxx.xx.xxx
User-Name: xxxxxxxxxxxx
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A114D0A00001972016208E1
Acct Session ID: 0x00001BB7
Handle: 0x6D0009B6
Runnable methods list:
Method State
dot1x Failed over
mab Failed over -
I am currently running ISE 1.1.3u1
Since I will basically have to redo my IPEPs to renew our SSL Certs, I am planning to just move up to 1.2.
Questions I have are:
Is there not a FULL install for 1.2u"latest"?
From my understanding I should be able to upgrade direct from 1.1.3 to 1.2 on my admin/policy/MnT node (VM) but my IPEPs will have to be totally recreated to move to 1.2. Is this correct?
Then once I am on 1.2, can I just jump to the latest update, or do I have to install each update one by one?
Something I just read made me think that the IPEPs won't be able to take the 1.2 patches, as in they will be stuck at 1.2.0.899 with no updates, is this correct?This will definitely be my endgame.
But since this code just came out, I am not willing to jump direct to it, yet.
Also, I haven't found much documentation on how to make this transition, i.e., exactly what settings on the ASA will make it replace the IPN, and if any changes need to be made on the Admin/Policy/MnT server.
Then as soon as I make that transition, I will be able to rebuild the 3315 (have 2) to be failover between the two locations. -
CIsco ISE 1.2 to 1.3 upgrade
I am planning for an ISE upgrade from version 1.2 to 1.3. I have two nodes (primary admin, secondary monitoring (ISE 3355) in one box and secondary admin, primary monitoring in the other (3315).) and 8 PSNs (all 3315).
My question is after upgrading when we are testing for failover of the HA pairs in both the nodes…are we going to face any technical complications because of the different model numbers. All nodes (2 +8= 10) are in different locations.You must first upgrade the secondary Administration node to Release 1.3. For example, if you have a deployment set up as shown in the following figure, with one primary Administration node (node A), one secondary Administration node (node B), one Inline Posture node (IPN) (node C), and four Policy Service nodes (PSNs) (node D, node E, node F, and node G), one primary Monitoring node ( node H), and one secondary Monitoring node (node I), you can proceed with the following upgrade procedure.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_chapter_01.html#ID20
Before You Begin : http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter_011.html -
Dears,
We have 2 ISE server. I configured wired, wireless,vpn, guest user authentication from ISE server. All of them are normal working. Both of ISE server have same Image.(ver 1.2) I deployed ISE servers as HA. I register second ISE server at primary ISE server. I attached the configuration files.
I want one ISE device is primary( Administration, Monitoring and Policy are active in primary ISE) and the other ISE server is backup or standby. (Administration, Monitoring and Policy are standby). When the Primary ISE server is going to down then all AAA process is going through the secondary ISE server( it is like redundancy on ASA)
Is it possible to configure? If yes how I do this configuration?
Thank for your helping.ISE 1.2 does not have an Automatic Failover for the Admin Nodes. If the primary node goes down, you have to manually promote the secondary node.
Until you promote the secondary, the deployment has very serious limitations:
So, you see, there is no true HA with Automatic Failover for ISE 1.2.You have to have both ISE servers on anyway and the Monitoring Persona is the only one that does support Automatic Failover, so it really does make sense to deploy your nodes as noted here:
Node1: Admin (Primary), Monitoring (Secondary), Policy Service
Node2: Admin (Secondary), Monitoring (Primary), Policy Service
The notes I referenced can be found in the ISE 1.2 User Guide.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Is OpenLdap supported by Cisco ISE 1.2?
When I try "Test bind to server" I get results so the connection seems fine. However when I set up the policies for a basic wlan with wpa2 authentication it says "Invalid password". When I put my username in the attributes folder it finds my id so I'm sure the link is working fine.Cisco ISE always uses the primary LDAP server to obtain groups and attributes for use in authorization policies from the Admin portal, so the primary LDAP server must be accessible when you configure these items. Cisco ISE uses the secondary LDAP server only for authentications and authorizations at run time, according to the failover configuration.
Cisco ISE retains a list of open LDAP connections (including the binding information) for each LDAP server that is configured in Cisco ISE. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection. After the authentication process is complete, the connection manager releases the connection.
Please check the below link which can helpful for you:
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ui_reference_administration.html#wpxref71565 -
ISE does not register nodes - (blank pop-up window)
Hello everyone !
There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The result of attempting to register this node is the blank warning pop-up window, progress of registration stops without registration of policy node (screenshot in attachment). The same
thing happens when I try to register a secondary monitoring nodes (that was removed earlier, like in the case with police node). I also attach a portion of log file taken from admin node (CLI) in the moment of attempts registration of police / monitoring nodes.
In the DNS is ok (defined in both side), all certificates are valid.
Maybe somebody has already found a similar mistake ?
Sincerely,
AndreyPlease check the following Prerequisites
The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes that are part of your distributed deployment in the DNS server.
•The primary Administration ISE node and the standalone node that you are about to register as a secondary node should be running the same version of Cisco ISE.
•Node registration fails if you provide the default credentials (username: admin, password: cisco) while registering a secondary node. Before you register a standalone node, you must log into its administrative user interface and change the default password (cisco).
•You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
•If you plan to register a secondary Administration ISE node for high availability, we recommend that you register the secondary Administration ISE node with the primary first before you register other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
•If you plan to register multiple Policy Service ISE nodes running Session services and you require mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group. You must create the node group first before you register the nodes because you need to select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
•Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the standalone node (that you are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
•After registering your secondary node to the primary node, if you change the HTTPS certificate on the registered secondary node, you must obtain appropriate CA certificates that can be used to validate the secondary node's HTTPS certificate and import it to the CTL of the primary node. See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information. -
About ISE 802.1X question!
Today my colleagues and I deploy ISE found the following question.
Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
Why is that?
Two ise ,Distributed Deployment,
I test redundancy。I closed the main equipment,The following error:
LOG:==============================================
The normal time:
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: 172.30.60.11
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000410155DA40
Acct Session ID: 0x0000006C
Handle: 0x73000041
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: 172.30.60.10
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000400154E52C
Acct Session ID: 0x0000006D
Handle: 0x91000040
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
When there is a problem:
6509-vss#
Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#
6509-vss(config-if)#
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#end
6509-vss#show
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
6509-vss#show authentication
Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
6509-vss#show authentication sessions int
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: Unknown
User-Name: 0021cc68a63e
Status: Running
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004E01CCCA18
Acct Session ID: 0x00000086
Handle: 0x7300004E
Runnable methods list:
Method State
mab Failed over
dot1x Running
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: Unknown
User-Name: shenshu
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004D01CCB640
Acct Session ID: 0x00000089
Handle: 0xB400004D
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
LOG:============================================Please consider the order of authnetication method fail from here
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028
Maybe you are looking for
-
Hello everybody. I'm having this exact issue: https://wiki.archlinux.org/index.php/Bu … X_screen_0. Unfortunately, the provided solution does not help in my case. I'm pretty much out of ideas now, so I'll post the configs and output of what I've got
-
REUSE_ALV_GRID_DISPLAY for Excel display
Hi Experts, I am using FM 'REUSE_ALV_GRID_DISPLAY' for ALV reports. In my system I am using Excel 97 version and I could see the output in excel format when I press Microsoft Excel (ctrlShiftF7). But my user is using version 2
-
Skipping, stuttering Flash Video
VIdeos on CBS and FOX, etc skip or Stutter. I researched this and Microsoft found that if the media buffers video but never loads the clip or loads the clip but the video stutters then your DSL/cable providers using Network Address Translation (NAT)
-
For the past few days, I've been doing research for a presentation that I am doing for college. As I've been using Firefox, the program freezes to the point where I have to force the program to terminate. I have a computer with 8 gigs of ram and an i
-
One album divided into many parts
Some of my songs in iTunes that should be listed under a single album title are divided into several albums(all with the same album title). I've gone into "get info" and made sure that every listing is spelled, punctuated and phrased the same way, bu