topic Re: Cisco ISE Small Deployment High Availability in Network Access Control

Cisco ISE Small Deployment High Availability

Kevin Raditheo — Fri, 10 Feb 2017 08:08:40 GMT

Hi All,

I want to ask some question regarding Cisco ISE HA in Small Deployment Network (with two node of ISE):

Is it true that in Small Deployment, Secondary node need to be promoted manually when Primary node down? Since I read a document that says auto-failover can only be enabled in Distributed Node
If failover is manual, what is the purpose of secondary admin persona since you will need to promote it manually and can not configure policy when it still in secondary position.
Will the failover change the IP address of Secondary to Primary node IP address? Must I input Primary and Secondary node IP address to all the NAD?

Thanks for your answers in advance.

Regards,

Kevin

Re: Cisco ISE Small Deployment High Availability

Charlie Moreton — Fri, 10 Feb 2017 12:57:55 GMT

Is it true that in Small Deployment, Secondary node need to be promoted manually when Primary node down? Since I read a document that says auto-failover can only be enabled in Distributed Node

Yes, this is true.

If failover is manual, what is the purpose of secondary admin persona since you will need to promote it manually and can not configure policy when it still in secondary position.

The policies and settings (The entire PAN database) is synchronized with the Secondary Admin Node and is kept in synchronization. Once the Secondary is promoted, all the settings and policies previously configured on the Primary Node will be there.

*Remember to add both the Primary and Secondary Admin Nodes to ALL Licenses installed, as these are synchronized as well. If you do not have them both registered on the license you can "Re-Host" the license(s) by following this process:

Re-Host ISE Licenses*

Will the failover change the IP address of Secondary to Primary node IP address? Must I input Primary and Secondary node IP address to all the NAD?

Both nodes should be added to the NAD in this deployment (Standalone), as each node hosts a Policy Service Persona. It is only the PSNs that are added to the nodes for RADIUS.

Charles Moreton

Re: Cisco ISE Small Deployment High Availability

Kevin Raditheo — Fri, 17 Feb 2017 07:53:26 GMT

Thanks Charles for your answers.

It helps very well.

Kevin

Re: Cisco ISE Small Deployment High Availability

Kevin Raditheo — Wed, 22 Feb 2017 16:08:07 GMT

Hi Charles,

I have follow up questions.

Currently I have ISE deployment with 2 node:

ISE 1 : Primary Admin, Secondary Monitoring, PSN
ISE 2 : Secondary Admin, Primary Monitoring, PSN

When ISE 1 still up, I can use ISE 2 as radius server for some of my NAD, it's split deployment, isn't it?

When ISE 1 is down, my NAD that use ISE 2 as primary radius server can not authenticate, nor the NAD that use ISE 2 as secondary radius server.

I need to promote ISE 2 to become primary admin to be able to authenticate through ISE 2.

Is this a normal behavior? Do we need to manually promote secondary admin node to make use of redundancy of PSN?

Or do I miss something in my configuration?

Thanks for your help.

Kevin

Re: Cisco ISE Small Deployment High Availability

gbekmezi-DD — Fri, 24 Feb 2017 19:50:10 GMT

No, something else must be happening. Assuming it’s just a standard authentication to either the internal data store or an external data store (i.e. not trying to create a guest account) ISE 2 should authenticate clients while ISE 1 down. I’d probably start by looking at the live log while in that state.

George

Re: Cisco ISE Small Deployment High Availability

takedo2008 — Tue, 13 Aug 2019 11:57:53 GMT

hi .

I guess this setup is no more small deployment , but distributed deployment.

Re: Cisco ISE Small Deployment High Availability

EvaldasOu — Tue, 12 May 2020 23:08:52 GMT

This small deployment HA makes no sense to me.
With such a great Team at Cisco ... such a huge product Cisco ISE - not possible to do automatic failover with two nodes (in year 2020)...

Guys, I'm a network engineer. If ISE1 goes down... it will be faster for me to fix ISE1 versus go to ISE2 and promote it manually as primary node...

ISE eats so many resources, but has so many issues! This two node automatic HA not possible! vMotion on VMware - not possible, snapshots / backups on VMware - not possible! and list goes on... 🙂

Re: Cisco ISE Small Deployment High Availability

paul — Tue, 12 May 2020 23:32:02 GMT

ISE two node work just fine. The PSN functionality work independently of the other functions. If your primary admin node goes down in a two node deployment you lose access to administer and monitor the system until you promote the secondary to primary.

You don't want automatic promotion in a two node setup because when the promotion happens services restart and all functionality is lost. If you had a primary admin node go down in the middle of the day and Cisco allowed automatic failover you would have a 10-20 minute outage. With manual promotion you get to control when the outage occurs.

This is link is from the 2.3 guide but scroll down to the table that shows what services are available when the Admin node is down:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011.html#ID57

Re: Cisco ISE Small Deployment High Availability

EvaldasOu — Wed, 13 May 2020 14:05:09 GMT

Thank You @paul , this is great answer!

I was actually so upset ... as I configured small ISE deployment easily (but 2nd PSN is not responding to RADIUS requests at all when 1st node is UP or DOWN). And in GUI/CLI everything seems to be fine, all services running on 2nd node... using latest ISE 2.6 with latest Patch 6.

Re: Cisco ISE Small Deployment High Availability

EvaldasOu — Wed, 13 May 2020 15:57:23 GMT

@paul I have actually fixed my first issue... it was firewall ... Policies needed to be updated to allow communication with ISE2 server.

However, I found another issue which I think cannot be re-solved in this HA mode.
What if ISE1 generated certificate for the user? It has separate CA and as I see these certificates are not synchronized across in HA and ISE2 is not aware of this at all?

Thank You

Re: Cisco ISE Small Deployment High Availability

Greg Gibbs — Wed, 13 May 2020 23:32:07 GMT

See the following link in the Admin Guide showing the ISE Internal CA hierarchy in a distributed deployment.

Although the Primary and Secondary nodes have separate Node CA and Endpoint CA certificates, they should be signed by the Root CA of the Primary PAN.

If you are not seeing the same (or if you have upgraded from an earlier version of ISE), you might need to regenerate the ISE CA Chain.

Re: Cisco ISE Small Deployment High Availability

vsurresh — Thu, 14 May 2020 15:47:35 GMT

Hi, Kevin.

I have the exact setup. On each NAD specify both ISE IPs as primary and secondary. When the primary ISE goes down, authentication should happen as normal via secondary ISE because both ISE nodes are PSN.

You don't' have to promote the PSN because PSN is active/active. You will only need to manually promote the ISE02 PAN so you can have the Admin GUI access. If you need auto-failover you will need 3 nodes where the third node will check the health of the other two.

The IP addresses won't change during the failover.

Regards
Suresh