topic Re: ISE HA-Mode (Control Webgui) in Network Access Control

ISE HA-Mode (Control Webgui)

Xibachao1 — Wed, 12 Nov 2025 04:20:37 GMT

Dear professionals,

We have two Cisco ISE (Primary-Secondary)

We have concern about Device Admin Services. What is it purpose? We have research about it, seem likes relate to Tacas service.

In webgui ise-primary we can control all function like Livelogs, Cert, Endpoint .... but in webgui ise-secondary just have only Administration tab. We wonder it is relate to Device Admin service which the one missing in the ise-secondary?

Can anyone explain this?

Re: ISE HA-Mode (Control Webgui)

Rob Ingram — Wed, 12 Nov 2025 07:37:28 GMT

@Xibachao1 Yes, Device Admin is for TACACS+ management of networking devices. It looks like you just need to enable Device Admin on the secondary node. From the Primary Policy Administration Node (PAN) go to Administration > Deployment edit the Secondary node and select Enable Device Admin Service. Click Save

An a distributed deployment only the PAN will display all the tabs, as the configuration is performed centrally on the Primary PAN, which is why you will not see all the tabs on the other node(s).

Re: ISE HA-Mode (Control Webgui)

Xibachao1 — Wed, 12 Nov 2025 07:46:02 GMT

Hi @Rob Ingram ,

Thank for you support.

I wonder one more if i do enable that config have any require reboot or something downtime?

And how can i manage all the tabs in the SPAN (Must over 3 nodes or it is impossible please tell me) ?

Thank you.

Re: ISE HA-Mode (Control Webgui)

Rob Ingram — Wed, 12 Nov 2025 07:50:51 GMT

@Xibachao1 enabling the Device Admin service won't require a reboot.

You can only manage the cluster (all the tabs) from the Primary PAN. The Secondary PAN will only manage the cluster if the Primary has failed and the Secondary is promoted. Only one can be active to manage the cluster.

Re: ISE HA-Mode (Control Webgui)

balaji.bandi — Wed, 12 Nov 2025 07:55:02 GMT

You need to enable all nodes where required for the device admin service; this does not require a restart of ISE.

Only PAN will be able to manage all the nodes in the deployment

Re: ISE HA-Mode (Control Webgui)

Xibachao1 — Wed, 12 Nov 2025 08:04:12 GMT

Thank @Rob Ingram @balaji.bandi alot.

It seem likes both ISE using same database authentication (replicate). So i can understand that if ISE-Pri dies then all the database (drop, failed, passed) switch to ISE-Secondary too and not relate to the "Device admin" service, right?

Like user1 has failed many times in the ISE-Primary (20 times) and still keep that count on ISE-Second when ISE-Pri dies.

Re: ISE HA-Mode (Control Webgui)

Rob Ingram — Wed, 12 Nov 2025 08:11:58 GMT

@Xibachao1 yes, but in a two node cluster, you have to manually promote the Secondary node to Primary. The PAN persona is independant to the Device Admin role. You just need to enable the services on both nodes, for them both to work as TACACS+ servers.

Re: ISE HA-Mode (Control Webgui)

balaji.bandi — Wed, 12 Nov 2025 09:29:50 GMT

You have the option to always promote the other node as primary.

check the guide for reference :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_deployment.html#ID246