Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE clustering and Wireless Setup (Beta BYOD)


I am building an ISE lab cluster for testing BYOD. This setup will mirror our production cluster.


The ISE deployment is 4 x Internal ISE servers (2 x PAN nodes PRI and SEC plus 2 x PSN nodes PRI and SEC) and 2 x DMZ ISE servers (PSN PRI and SEC). These are all ESXi VMS running version with Patch 10 applied to overcome the AD null groups bug for the BYOD workflow. I have a couple of questions: firstly regarding the clustering and then one regarding the BYOD WorkFlow.


1. I have clustered and synched 5 nodes of the cluster - the sixth node is  DMZ PSN SEC instance - when I tried to register this initially I got the import certificate prompt and the cert is stored in the Trusted Cert repository, but the node will not register as the error message is that comms cannot be established to it. I am able to ping the hostname from the PRI PAN which proves DNS and reachability - I can also see logs for https traffic through our Checkpoint firewalls. I have tried rebuilding the node, with the same result. Is there anything that I should be aware of or checking for to get this node into the cluster?


2. Regarding the Wireless Setup (Beta). Given that we are using Internal WLCs for the WAPs that are publishing the BYOD ESSID, but the service is terminated on the DMZ WLC and ISE nodes (portal, etc) the WorkFlow only seems to allow a single WLC to be configured - is it possible to use the Wireless Setup tool for this network topology or does it have to be done manually?

VIP Advisor

Re: ISE clustering and Wireless Setup (Beta BYOD)

For first question, here is the port requirements for node communications
(not only https). I usually avoid limiting the communication between nodes
by port.

2nd question, the wireless wizard for one WLC. Other need to be done

Re: ISE clustering and Wireless Setup (Beta BYOD)

Hi Mohammed,


Thank you for responding to my queries. I am now following the Prescriptive BYOD workflow guide to build the BYOD test lab.


Regarding the clustering there are two DMZ PSN nodes that are passing through the same firewall and one has joined the cluster successfully but the other will not register. Both of these nodes are in in the same firewall group object, so this won't be an issue.


Is there anything else that you can suggest? What are the limits on ISE distributed configurations?