cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6436
Views
2
Helpful
21
Replies

Guest portal redundancy

ffadhilpi
Level 1
Level 1

Hi,

what is the best way to make sure if ISE01 fails guest traffic for the portal will go to ISE02 automatically and without a load balancer?

Thanks,

21 Replies 21

That is a bug I opened while working on a field engineer's setup. The workaround is to avoid such partial match; e.g. ISE hostname is demoISE-1 while the alias is demoISE.

So change ISE host name so it won't match the alias?!

Because the alias is tied to my SSL cert that was purchased. looking at the caveats for changing the hostname in a 2 nodes setup.

ISE allows updating hostname in standalone mode only and such operations will restart ISE services so you would need a maintenance window.

Cisco TAC may help updating the hosts entries via root.

I want to go down the path of using the cli command "ip host" without having to go through TAC to change the host names for my 2 ISE servers. tonight I will attempt the following but I want to see if you think my steps would work. can you let me know?!

Break the cluster

Make each ise a standalone

Change hostname cli

Make sure dns has the new hostname mapping

Cluster nodes back together:

- import second ise cert to the main node

- change the primary node from standalone to primary

- register the second ise node under the main ise

verify cluster is working.

use the ip host cli command

In case interface bonding in use, please take a look at CSCve57664. Besides what you wrote, also note on impact on Active Directory, and internal CA. Below are what I would suggest:

Backup (CFG, system certificates and private keys, internal CA export)

Perform a basic set of testing before any changes.

De-register the 2nd node and make the primary to standalone

(On the 1st ISE node (primary previously))

If using AD, leave AD

Update DNS record(s)

CLI configure "hostname" and "ip host" commands

If using an internal PKI for ISE system certificate, then generate CSR and get a new cert from the PKI

If using internal CA, re-gen internal CA certificates

If using AD, re-join AD

Perform some testing to verify all working ok on this 1st ISE node.

(On the 2nd ISE node)

If using AD, leave AD

Update DNS record(s)

CLI configure "hostname" and "ip host" commands

If using an internal PKI for ISE system certificate, generate CSR and get a new cert from the PKI

If using AD, re-join AD

Perform some tests

If the 2nd ISE node using ISE self-signed cert for ISE system certificate, then export it and import it to the 1st ISE node.

Make the 1st ISE node primary and re-register the 2nd ISE node to it.

Perform more tests.

I'll test it. This should work. What ISE version?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: