Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
5
Helpful
3
Replies

Adding Secondary cluster

Prasan Venky
Level 3
Level 3

‎01-29-2015 09:34 PM - edited ‎03-10-2019 10:23 PM

Dear All,

I am already having ISE in distributed deployment as

1)Primary Admin node

2)Primary Monitor node

3)PSN

Now i have 3 more ISE boxes & i need to build secondary cluster.

1) Secondary Admin node

2) Secondary Monitor node

3) PSN

To do this what all prerequisites .. any maintanance window required..?

Secondary cluster will be deployed at different location where firewall facing scenario. is there any ports need to be opened for synchronization..?

 

Thanks in advance

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-30-2015 08:22 PM

After you register the secondary node, the configuration of the secondary node is added to the database of the primary node and the application server on the secondary node is restarted. After the restart is complete, the secondary node will be running the personas and services that you have enabled on it.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1053327

ISE 1.2 what ports need to be open between different personas?

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html

ISE 1.3 what ports need to be open between different personas?

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_appendix_01001.html

 

Hope this helps.

Regards,

Jatin

 

~Jatin

Prasan Venky
Level 3
Level 3
In response to Jatin Katyal

‎02-04-2015 11:32 PM

Thanks Jatin.

I have two PSN's. So i should create a node group to achieve redundancy and load balancing right ?

I have a doubt on EAP certificate installation on secondary ISE that i am going to introduce.(we are using posture redirect for client to get NAC agent).

In primary ISE cluster, i installed with FQDN of PSN(DNS=PSN-Primary.local.com,DNS=*.local.com). How should i install certificate on secondary...Is it like (DNS=PSN-Secondary.local.com & DNS=*.local.com) ?

 

 

 

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Prasan Venky

‎02-06-2015 09:28 AM

Node group does not give you redundancy or load-balancing. It just tells ise to re-authenticate the devices that were currently trying to authenticate when one of your psn wen't down, so they are not left in an unusable state. To load-balance, you need an external load-balancer, or just use redundancy by configuring both psn's in your switches and wlc. Som switch versions support more advanced load-balancing of psn requests.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents