Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
3
Replies

pair of replicated ODBC ID sources (HA) - managing unreachable server scenario

Go to solution
clandrai
Cisco Employee
Cisco Employee

‎07-22-2019 02:35 AM

Hello,

 

This setup uses a pair of SQL DB with replication, each server is setup as separated ODBC ID source in ISE (2.3 patch 6). Policies are made so that if attributes can't get retrieved from ODBC1, ODBC2 source would be used instead (OR condition or doubled rules).

 

Problem: If one ODBC server fails, the rule will be impacted by a connection timeout, sometime leading to radius timeout with the NAD - and this for each authentication request.

 

Question: IS there an attribute similar to the MDM.isServerReachable that could be used to detect one server failure condition?

Alternatively, is there a plan to provide some HA, or which way is recommended at the server-side (unsure if MS SQL provides some way of HA)?

 

Many thanks in advance.

Christophe

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
clandrai
Cisco Employee
Cisco Employee
In response to hslai

‎07-23-2019 12:31 AM

Thanks for your reply, of course using a reachability attribute is just a possible way, whatever helps handling the loss and recovery of one server in a redundant setup is welcome - we will check what the SQL infra can offer, as well as solutions based on SQL clustering or load-balancers.

 

Thanks and regards,

Christophe

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-22-2019 06:13 AM

ISE is not currently supporting an attribute to check for ODBC availability. Please connect with our PM team directly, due to No Comment on Roadmaps or Fixes in this forum.

0 Helpful

Go to solution
Armen V.
Level 1
Level 1
In response to hslai

‎07-22-2019 08:22 PM

Microsoft has implemented a connection string parameter to activate failover within the client called "MultiSubnetFailover". It seems however that there is no way to enter in that parameter within the ISE ODBC configuration.

https://docs.microsoft.com/en-us/sql/connect/odbc/dsn-connection-string-attribute?view=sql-server-ver15

 

We don't have control over connection string parameters to enable this within ISE, even assuming the driver underlying ISE is the microsoft-developed one.

0 Helpful

Go to solution
clandrai
Cisco Employee
Cisco Employee
In response to hslai

‎07-23-2019 12:31 AM

Thanks for your reply, of course using a reachability attribute is just a possible way, whatever helps handling the loss and recovery of one server in a redundant setup is welcome - we will check what the SQL infra can offer, as well as solutions based on SQL clustering or load-balancers.

 

Thanks and regards,

Christophe

0 Helpful
Customers Also Viewed These Support Documents