cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3556
Views
14
Helpful
11
Replies

ISE Primary/Secondary max latency

BrendanGrieve
Level 1
Level 1

Hi There,

My understanding is that you can run ISE with one node set as primary and zero or more nodes set as secondary, with the secondaries located closer to the end points.

1. Does this mean the local users closest to a secondary node will authenticate against it rather than hitting the primary?

2. What if the delay between primary and secondary is larger, say 700ms-1000ms. Is this going to flap and desync?

Thanks,

Brendan

1 Accepted Solution

Accepted Solutions

Sandeep Choudhary
VIP Alumni
VIP Alumni

Yes you can have Primary and secondary ISE in your Distributed env.

A  Cisco ISE node can provide various services based on the persona that it  assumes. Each node in a deployment, with the exception of the Inline  Posture node, can assume the Administration, Policy Service, and  Monitoring personas. In a distributed deployment, you can have the  following combination of nodes on your network:

Primary and secondary Administration nodes for high availability

A pair of Monitoring nodes for automatic failover

One or more Policy Service nodes for session failover

A pair of Inline Posture nodes for high availability

1. No, As per my understanding All your clients authenticate with primary ISE.

2. When Primary ISE is down then:

When the primary Administration ISE node becomes unavailable, we must log into the secondary Administration ISE node and promote it to become the primary Administration ISE node. There is no automatic failover for the AdministrationISE node.- Means High Avilability )

In case the primary Monitoring ISE node goes down, the secondary Monitoring ISE node automatically

becomes the primary Monitoring ISE node.

Regards

View solution in original post

11 Replies 11

Sandeep Choudhary
VIP Alumni
VIP Alumni

Yes you can have Primary and secondary ISE in your Distributed env.

A  Cisco ISE node can provide various services based on the persona that it  assumes. Each node in a deployment, with the exception of the Inline  Posture node, can assume the Administration, Policy Service, and  Monitoring personas. In a distributed deployment, you can have the  following combination of nodes on your network:

Primary and secondary Administration nodes for high availability

A pair of Monitoring nodes for automatic failover

One or more Policy Service nodes for session failover

A pair of Inline Posture nodes for high availability

1. No, As per my understanding All your clients authenticate with primary ISE.

2. When Primary ISE is down then:

When the primary Administration ISE node becomes unavailable, we must log into the secondary Administration ISE node and promote it to become the primary Administration ISE node. There is no automatic failover for the AdministrationISE node.- Means High Avilability )

In case the primary Monitoring ISE node goes down, the secondary Monitoring ISE node automatically

becomes the primary Monitoring ISE node.

Regards

Thanks for the quick answer.

Scott Fella
Hall of Fame
Hall of Fame

Just to add. If this was for wireless....

1. Does this mean the local users closest to a secondary node will authenticate against it rather than hitting the primary?

> The WLC would send the radius packet to the primary AAA server you have configured unless it doesn't receive a response back in time and will fail to the secondary. So it will not send packets to the closer one unless the close ISE policy node is set as the primary.

2. What if the delay between primary and secondary is larger, say 700ms-1000ms. Is this going to flap and desync?

> This follows the first question. Those are high latency!!! You would have to increase your EAP timers on the WLC or else you would see radius server failed to respond and clients would not join.

If you have policy servers across the "pond", not a good idea at all. You can have separate policy nodes for a given region as long as your latency is low. With high latency, you will introduce a lot of issues.

Just my two cents

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott,

Please correct me if I am wrong. According to my understanding, in ISE there is no primary or secondary ( other than our percetion on how we see them when in deployment).

Primary is the only one where we can make changes, secondary we cannot. Other than this no difference.

Say on WLC, if we configure the so called secondary as first authentication server, the request will go to secondary server for authentication. If we have configured the primary as second ip address in WLC, if the secondary is not reachable then the request will go the so called primary in this case.

Thanks

Best Regards,

Rakesh

Please correct me if I am wrong. According to my understanding, in ISE there is no primary or secondary ( other than our percetion on how we see them when in deployment).

> There is a Primary and Backup node. The primary is where you do all your configuration and it's synced to the backup.

Primary is the only one where we can make changes, secondary we cannot. Other than this no difference.

> Yes that is correct

Say on WLC, if we configure the so called secondary as first authentication server, the request will go to secondary server for authentication. If we have configured the primary as second ip address in WLC, if the secondary is not reachable then the request will go the so called primary in this case.

> Yes that is the case. There is a fallback option also to fall back to the primary if it becomes available. This is all done on the WLC. With such high latency, you need to increase your EAP timers, but then again, if packets gets dropped or com in out of order, the WLC will determine that the primary is unavailable. This can happen also if the secondary is the one being used. So in the end, authentication can fail and the WLC can be switching back and fourth.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Thanks Scott,

I'm looking at a scenario where a central site (already running ISE) has multiple (very) remote sites that are across painful connections. Hence the 700-1000ms pings.

My feeling is that ISE is not going to be a good fit here unless they run a standalone at each site but still authenticate against a primary RADIUS.

That would be my feeling also. If the radius packet is out of order due to latency, that is a reject or failure for the radius to respond and client will not be authenticated. Your design might have to include separate ISE policy nodes at these locations just so that you still can authenticate user or profile if that's what you are doing.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Doesn't the policy nodes need to communicate with the primary node still and thus the long delay may affect the communication between them?

ie:

[primary node] ----- slow link ----- [policy node]

                |                 |

[RADIUS server]-/                 \- [clients]

Ideally, I'd like a local policy node at the remote sites, such that communication between clients and it are neglible but communication between the policy node and 'head office' are more resiliant to a slow link. However without a lab I'm just unsure if this is a viable solution or not.

Yes there is requirements also for ISE. I was looking at ISE being primary and not setup as backup. You can have multiple policy servers as primary, but it comes down to cost. Take ISE out of it and look at if you were using NPS or maybe ACS. These still have to communicate to AD so backup domain controllers at each site might also be required.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I really appreciate the answers Scott. I think you've confirmed my thoughts that ISE is a bad fit in this case and that something simpler (like NPS) is going to be more effective at those sites.

Cheers,

Brendan

Hi Scott,

Does WLC make the secondary ISE as active if primary has high authentication latency? 

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: