I was troubleshooting an issue with Cisco this past week involving an issue with the guest wireless solution we have which is Cisco based. We have the foreign controller in the data center along with the anchor in the internet DMZ. We also then have regional ISE clusters [two ISE nodes behind a load-balancer] which the WLC would use to determine if they entered the correct credentials.
As we are troubleshooting I saw a behavior that I had seen in the past which is that in ISE I can see these authentications coming in from ISE nodes around the globe. You would think that the WLC would stick with the primary radius server and NOT leave it unless it would go down. In order for the primary radius server to go down the load balancer would have to fail or both ISE nodes would have to fail in the local data center.
Why the hell is the WLC bothering with radius servers half way across the globe??? I posed this question to the Cisco engineer and they said "yeah unfortunately there's no way to force it to just one radius server...". So we had to sit there and run debugs waiting for the connection attempt to come through the nodes we were monitoring.
This seems a bit asinine to me honestly. There isn't a way to tell the WLC to ONLY use the local ISE nodes for radius and NOT the ones in Europe UNLESS the local one's go down hard?
No comments:
Post a Comment