topic Adding Secondary cluster in Network Access Control

Adding Secondary cluster

Prasan Venky — Mon, 11 Mar 2019 05:23:44 GMT

Dear All,

I am already having ISE in distributed deployment as

1)Primary Admin node

2)Primary Monitor node

3)PSN

Now i have 3 more ISE boxes & i need to build secondary cluster.

1) Secondary Admin node

2) Secondary Monitor node

3) PSN

To do this what all prerequisites .. any maintanance window required..?

Secondary cluster will be deployed at different location where firewall facing scenario. is there any ports need to be opened for synchronization..?

Thanks in advance

After you register the

Jatin Katyal — Sat, 31 Jan 2015 04:22:23 GMT

After you register the secondary node, the configuration of the secondary node is added to the database of the primary node and the application server on the secondary node is restarted. After the restart is complete, the secondary node will be running the personas and services that you have enabled on it.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1053327

ISE 1.2 what ports need to be open between different personas?

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html

ISE 1.3 what ports need to be open between different personas?

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_appendix_01001.html

Hope this helps.

Regards,

Jatin

Thanks Jatin.I have two PSN's

Prasan Venky — Thu, 05 Feb 2015 07:32:34 GMT

Thanks Jatin.

I have two PSN's. So i should create a node group to achieve redundancy and load balancing right ?

I have a doubt on EAP certificate installation on secondary ISE that i am going to introduce.(we are using posture redirect for client to get NAC agent).

In primary ISE cluster, i installed with FQDN of PSN(DNS=PSN-Primary.local.com,DNS=*.local.com). How should i install certificate on secondary...Is it like (DNS=PSN-Secondary.local.com & DNS=*.local.com) ?

Node group does not give you

jan.nielsen — Fri, 06 Feb 2015 17:28:16 GMT

Node group does not give you redundancy or load-balancing. It just tells ise to re-authenticate the devices that were currently trying to authenticate when one of your psn wen't down, so they are not left in an unusable state. To load-balance, you need an external load-balancer, or just use redundancy by configuring both psn's in your switches and wlc. Som switch versions support more advanced load-balancing of psn requests.