topic Re: Question about ISE HA Deployment in Network Access Control

Question about ISE HA Deployment

Andrey Ageev — Thu, 28 Jan 2021 11:08:52 GMT

Hi.

I have two ISE nodes:

Node 1: Primary PAN, Secondary MnT, PSN, Device Admin (TACACS) + L-ISE-TACACS-ND=

Node 2: Secondary PAN, Primary MnT, (w/o Device Admin and w/o L-ISE-TACACS-ND=)

So am I thinking correctly what's it not HA deployment because 2-nd node doesn't have Device Admin role?

And in case of primary node down - secondary will not working properly for TACACS/RADIUS requests and first it should be promoted to Primary and after that Device Admin role must be set up?

It's correct that minimal requirements for HA is two L-ISE-TACACS-ND= licenses? So both nodes will have Device Admin role?

Re: Question about ISE HA Deployment

Marvin Rhoads — Thu, 28 Jan 2021 11:48:43 GMT

If you add the license to the deployment and assign the role to the second node, it will perform the device admin functions fine even if the primary node is down.

You would only need to promote it to primary if the primary node was down for an extended period and you needed to modify configuration or if the primary had to be replaced altogether due to failure.

Re: Question about ISE HA Deployment

Marcelo Morais — Thu, 28 Jan 2021 16:26:31 GMT

Hi @Andrey Ageev

first of all ... you are able to Promote the Secondary PAN or Secondary MnT to Primary PAN or Primary MnT (respectively), this is one thing !!!

Second ... to enable TACACS+ on ISE:

. you need the L-ISE-TACACS-ND= license.

. you need to check the Enable Device Admin Service on each PSN in the deployment (for HA of TACACS+ service)

In other words:

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service
Node 2: Secondary PAN, Primary MnT  , Session Service, Device Admin Service

Hope this helps !!!

Re: Question about ISE HA Deployment

Damien Miller — Thu, 28 Jan 2021 23:02:55 GMT

It's important to note that if you were to promote the secondary admin node to primary in a two node deployment, even if both nodes were healthy and online, this is still an outage. Swapping the MNT primary/secondary role is not impacting, it does not require a service reload. If you swap the admin node, both admin nodes need to restart their application services which includes the services providing authentication.

To Marvin's point, purchase a second device admin node license, enable the device admin on the second node, and you do not have to swap the primary/secondary to maintain TACACS authentication functionality. You would have to delay any configuration changes until you can get the existing primary back online or take an outage to swap the primary role.

Re: Question about ISE HA Deployment

Andrey Ageev — Fri, 29 Jan 2021 04:41:13 GMT

So i need two licenses (L-ISE-TACACS-ND), right?

With only one license on Primary and Device Admin checked on both nodes i have this message: fewer device admin licenses installed than device admin nodes deployed. But AAA on second ISE work fine.

Is it normal behaviour for ISE and means that i can work with only license?

What are the risks then working with only one?

Re: Question about ISE HA Deployment

Andrey Ageev — Fri, 29 Jan 2021 04:43:17 GMT

Thanks, Marcelo.

I know about scenario:

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service
Node 2: Secondary PAN, Primary MnT  , Session Service, Device Admin Service

but can be

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service
Node 2: Secondary PAN, Primary MnT  , Session Service, No Device Admin Service

w/o Device Admin for HA?

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service
Node 2: Secondary PAN, Primary MnT  , Session Service, Device Admin Service

with only one license L-ISE-TACACS-ND= ?

Re: Question about ISE HA Deployment

Marcelo Morais — Fri, 29 Jan 2021 10:52:38 GMT

Hi @Andrey Ageev

the old Device Admin license was for the whole deployment, but ...

Now, for each PSN that you check the Enable Device Admin Service, you need the L-ISE-TACACS-ND= license, in other words, as soon as you have one box for TACACS and another for HA, then you would need two licenses for the deployment.:

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service (L-ISE-TACACS-ND=)
Node 2: Secondary PAN, Primary MnT  , Session Service, Device Admin Service (L-ISE-TACACS-ND=)

Note: you don't have HA (for TACACS) on the scenario bellow:

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service
Node 2: Secondary PAN, Primary MnT  , Session Service

Hope this helps !!!

Re: Question about ISE HA Deployment

Andrey Ageev — Tue, 02 Feb 2021 09:52:53 GMT

Thanks to all.

Last qustions: should i have L-ISE-BSE-PLIC (Cisco ISE Base License) and L-ISE-BSE-P1 (Cisco ISE Base License - Sessions 100 to 249) for second node for HA for also RADUIS, not only TACACS, in this configuration:

Node 1: Primary PAN  , Secondary MnT, Session Service, Device Admin Service (L-ISE-TACACS-ND=)
Node 2: Secondary PAN, Primary MnT  , Session Service, Device Admin Service (L-ISE-TACACS-ND=)