Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
2
Replies

Adding Secondry Node

henokk60
Level 1
Level 1

‎12-24-2025 11:04 PM

Hi All,

I am currently expanding an existing Cisco ISE cluster. The current setup consists of two dedicated nodes: one acting as the Primary Admin/MNT and the other two nodes as a Policy Service Node (PSN).

I am now adding another appliance which I intend to configure as the Secondary Admin/MNT. I have a few questions regarding the deployment process:

  1. Root CA Certificates: Should I manually import the Root CA certificates onto the new node prior to registration? Specifically, is it best practice to export the Root CA (.pem) from the Primary PAN and manually import on the trusted Certificates on the new secondary node?

  2. System Certificates: I am using separate certificates for the Admin role and another for multi-purpose roles (Portal, EAP, pxGrid, RADIUS DTLS, Messaging Service). Do these certificates need to be manually exported from the Primary and imported to the Secondary, or are they automatically synchronized during the registration process?

  3. Initial Node State: Before registering the new node to the cluster, should its persona be set to Standalone or Primary?

  4. What are the Tasks I shoud complete before registering new secondary node and other consideration also like joining AD or I can do that after the registration.

Any guidance or best practices would be greatly appreciated. Thank you!

 

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎12-25-2025 01:27 AM

Most of the steps at the high level you covered, I suggest the following steps be officially documented:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-33/222828-understand-ise-3-3-node-registration-pro.html#toc-hId-1793249966

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marcelo Morais
VIP
VIP

‎12-25-2025 11:53 AM - edited ‎12-25-2025 11:54 AM

@henokk60 ,

 about item 3.

To create a Distributed Deployment the 1st Node of the Cluster should be a Primary Node, all the other new Nodes, a Standalone Node.

 

 about item 2 and 1.

Your new Node needs a Certificate (at Administration > System > Certificates > Certificate Management > System Certificates) with the following possible usage:

  • Admin
  • EAP Authentication
  • RADIUS DTLS
  • pxGrid
  • ISE Message Service
  • NativeIPSec
  • SAML
  • Portal

To install this Certificate, you need to trust the "Certification Chain", in other words, you need to install 1st the Root CA (at Administration > System > Certificates > Certificate Management > Trusted Certificates).

 

 about item 4.

Before registering ...

  • the new Node must have the same release and patch of the Cluster

After registering ... 

  • at Administration > System > Deployment > check the Node Status
  • at Administration > Identity Management > External Identity Sources > Active Directory > join the Domain
  • at Administration > System > Health Checks > hit the Start Health Checks button

 

Hope this helps !

 

0 Helpful
Customers Also Viewed These Support Documents