Network Access Control

Hi, all!

 

I can't use spm command connect Lan enforcer with 2 SEP manager. Please help me.

 

Thanks!

 

ThangPN.

I am not sure what you are trying to achieve. LAN enforcer can only connect to 1 SEPM server at a time. Are you trying to do replication?

Hi, Mandy Pang!

 

Thank you for reply.

 

I want high available for my system. I have 2 radius running ACS 4.2, 1 Lan enforcer and 2 SEPM.

 

I want replicate 2 SEPM but I have 1 Lan enforcer. Please help me for this.

 

ThangPN.

 

 

You can setup replication between the 2 SEPM so that when 1 SEPM fails, the enforcer will communicate with the other SEPM.

 

RADIUS failover is supported by the Enforcer. On the enforcer settings on SEPM, you can input both of your ACS RADIUS servers into 1 RADIUS group and assign to the enforcer. The order of the ACS radius matters. The enforcer will first try to connect to the 1st ACS RADIUS on the list, if there is no response, it will try the 2nd one.

 

For LAN enforcer failover, it's done on the switch level. Since you only have 1 LAN enforcer, you can setup on the switch radius group such that LAN enforcer is 1st on the list, and your ACS radius is 2nd on the list. This way, if the LAN enforcer fails, the switch will contact your ACS for user authentication. 

Hi, Mandy Pang!

 

As you tell me: "You can setup replication between the 2 SEPM so that when 1 SEPM fails, the enforcer will communicate with the other SEPM.", but I am not sure when 1 SEPM fails, the enforcer will auto communicate with the other SEPM. I think the enforcer will manual communicate with the other SEPM when I use SPM commmand again with that.

 

ThangPN.

You can setup 2 SEPMs on the same server list on the SEPM server, then apply that server list to the enforcer.

Hi, Mr Pang.

 

I don't understand your idea. I don't know "setup 2 SEPMs on the same server list on the SEPM server". You want tell that you will install an additional management server to an existing site. I tried but it don't install for Embeded databate, It only apply for SQL database.

 

ThangPN.

Yes, with embedded DB, you cannot add additional site. If you want to setup SEPM failover for enforcer, you can setup another SEPM independent with the 1st one, put them to be replication partner. Then on the SEPM console, go to Policies -> Policy components -> Management Server List to create a new server list with both SEPM servers. Then go to enforcer settings on SEPM and make sure you select the server list you just created. This way, the enforcer will failover to the 2nd SEPM when the 1st fails.

Hi, Mr Pang!

 

Enforcer SPM with SEPM 1st. Enforcer setting only appear on SEPM 1st. When SEPM 1st die. Enforcer setting not appear on SEPM 2nd because enforcer not SPM with SEPM 2nd. That time, Does is SEPM 2nd communicate with enforcer?.

 

ThangPN.

It should if you set the 2 SEPM in the same management server list.

On the Enforcer, I must SPM to SEPM 1st, SEPM 2nd, server list management or when SEPM 1st die I must SPM to SEPM 2nd again.

 

ThangPN.

If you put SEPM1 and SEPM2 in the same server list, then when you connect enforcer to SEPM1, it will download the profile from SEPM1 which contains both SEPM1 and SEPM2. When SEPM1 dies, and enforcer cannot contact SEPM1, it will then try to connect to SEPM2.

Thank for your support!

 

ThangPN.