cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

344
Views
5
Helpful
5
Replies
Beginner

ISE high availability

Hi, I am searching clear documentation which tells what service locates on which persona and what is affected in case PAN or Secondary admin and primary monitoring or PSN is down.

Does the guest sponsor and authentication portals run on every PSN etc.

Could you please point me to correct destination for such combined documentation. Services per persona and what is affected when one of them is down.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: ISE high availability

Recommend review the Reference Presentation of BRKSEC-3699 at ciscolive.com.

There are a number of flows which can be impacted while PAN is unavailable, including portal flows.  For example, self-registered guests require PAN to be accessible to first instantiate the Guest account.  Device Registration (hotspot, guest, BYOD) also requires an update to central endpoint DB.

Yes, be sure to implement PAN failover to limit the window of outage.

Craig

View solution in original post

5 REPLIES 5
VIP Engager

Re: ISE high availability

This link shows what is available if the primary PAN is down:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Set Up Cisco ISE in a Distributed Environment [Cisco …

If you have PAN autofailover enabled you shouldn't lose access to any of the PAN features though. 

All ISE nodes log to both M&T nodes by default so it doesn't matter which one is up or which one is down.  As long as you have one available you should have access to the services provided by the M&T.

The PSNs are independent entities that are capable of running all the authentications you ask of them including portal services.  As long as your NADs are correctly pointed to multiple PSNs or the PSNs are behind a load balancer it shouldn't matter if you lose a single PSN.

Advocate

Re: ISE high availability

Recommend review the Reference Presentation of BRKSEC-3699 at ciscolive.com.

There are a number of flows which can be impacted while PAN is unavailable, including portal flows.  For example, self-registered guests require PAN to be accessible to first instantiate the Guest account.  Device Registration (hotspot, guest, BYOD) also requires an update to central endpoint DB.

Yes, be sure to implement PAN failover to limit the window of outage.

Craig

View solution in original post

Highlighted
Beginner

Re: ISE high availability

Thanks for the help. This was exactly what I was looking for.

Just hoping there would be a clear matrix available in the ISE resource pages, to show all this in one single look.

Advocate

Re: ISE high availability

If there was a single document on ISE HA, it would be the reference version of BRKSEC-3699 session posted to ciscolive.com.  It is over 500 slides which are more reference content than slideware.  I try to track all details, even if not covered during Live presentation, to keep this as a consolidated reference on topic of HA and scale.

Beginner

Re: ISE high availability

Thanks again. Spent some hours with these and I feel enlightened