Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
14
Helpful
3
Replies

Authentication switch to secondary ISE even primary ise is up

Mady
Level 4
Level 4

‎05-03-2017 09:22 PM - edited ‎03-11-2019 12:41 AM

Hi,

Do you have any Cisco documentation of reasons/factors why authentications switch to secondary from primary ISE even the primary is still up and running?

Thanks!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎05-08-2017 05:14 AM

Hi Mady

First check if the Primary ISE is configured as the 1st Radius Server in the switch or WLC.

If the NAD is a Switch check your radius server dead criteria via "radius-server dead-criteria time X tries Y" and see if it is too aggressive that is marking the ISE node is down and moves to the next radius (Typically you would see a Syslog messages for this) this is mostly happening when your PSN nodes are behind a load balancer with short timeout values and a lot of authentication requests.

If it is a WLC , then you have to check the failover configured on the WLC, if it is set to off then once the WLC failover to the secondary ISE , it would never tries the primary ISE again until the secondary ISE fails ( or through manual configuration).

This is on the assumption that the communication path between the NAD (Switch or WLC or ASA) to the primary ISE node is fine with no blocking or WAN congestion.

Please elaborate more on the exact issue, NAD type and version and ISE version 

Mady
Level 4
Level 4
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-08-2017 05:27 PM

Hi Mohamed,

It is WLC, unfortunately the fallback is configured off. The primary ISE is configured as primary radius server on WLC. 

We just want to know why the radius server switch to secondary ISE, we can't remember any issue on primary ISE that made the wlc switch the authentication to secondary. 

Are there logs that can we gather from WLC?

Thanks!

0 Helpful

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to Mady

‎05-09-2017 11:57 AM

Hi Mady 

We just want to know why the radius server switch to secondary ISE, we can't remember any issue on primary ISE that made the wlc switch the authentication to secondary. 

That is a challenging question to ask but It could due to the default Radius Server Timeout of 2 Sec which could be fairly aggressive if the Primary ISE is highly overloaded with Authentications requests.
I would recommend to Increase server timeout between 5 to 10 sec via GUI or CLI.

config radius auth disable <index>
config radius auth retransmit-timeout <index> <seconds>
config radius auth enable <index>

This also could be due to the aggressive failover feature on WLC (which is enabled by default) which would mark the Radius server is down immediately after one failed response. Disabling this feature would force the WLC to only fails over to the next Radius Server if there are three consecutive clients that fail to receive a response from the RADIUS server.

config radius aggressive-failover disable

To see the current state, use:
show radius summary

use these two options and monitor it to see if it keep failing over to the secondary one.

Customers Also Viewed These Support Documents