Thanks again Nidhi.

As I mentioned in my other reply, I am merging the TACACS functionality into a live ISE running RADIUS/dot1x. I *could* temporarily put the ISE into standalone but we are running v2.1 and hate to touch any dominos we don't have to. We are running a PAN(PRI),MNT(SEC) & PAN(SEC),MNT(PRI) deployment.

Ref: Re: Migrate TACACS from ACS to a live ISE deployment

Thanks for all the information. I don't have any choice but to migrate my TACACS functionality to our production ISE system. We will be doing a dry run against our test/QA environment before hitting production.

I am confused - one answer above says  "it needs to be standalone and not a production system" - I was asking if I should put the production system into standalone.  Building a whole new deployment just for TACACAS is not an option.

So is the recommendation to just move all the policies, etc by hand and *not* use the migration tool at all?

I do not think we limiting it to standalone ISE node, but not recommending the primary PAN in a multi-node deployment as the migration target. It's not well tested, either.

Thus, it's best to de-register one of the ISE nodes from the deployment and use that as the target for the migration. Once everything tested, promote that standalone ISE as the primary and register other ISE nodes to it to re-form the deployment.

I don't know what your experience with ISE in production is but all this promoting and un-deploying seems like a recipe for a crash if not an extended outage.

If you deregister the secondary does the primary know to take over as primary MNT or is that a separate manual operation?  If you have a node running as primary for ADM and MNT and another standalone node tries to aquire that node as a secondary does the old primary know to make itself  sec/sec before joining?