Accepted Solutions
Hi Amir
There doesn't seem to be a CLI show command, nor does the SNMP MIB offer any hints. But there is another way.
You can enable the ERS in your Policy Nodes and then run a curl command to query via REST API.
In the examples below, 192.168.21.100 is my PAN (it should always have a good view of the system status) - you would have to make this flexible to ensure you hit the currently active PAN.
To demonstrate the return values, I use the Get-By-Name method to query status of "ise02" (which is a PSN), and "ise01" (which is my one and only PAN). I think this reflects the Admin node personas and their status.
abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise02' | grep PapNode
"isPapNode" : false,
"isPrimaryPapNode" : false,
[abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise01' | grep PapNode
"isPapNode" : true,
"isPrimaryPapNode" : true,
Hi Amir
There doesn't seem to be a CLI show command, nor does the SNMP MIB offer any hints. But there is another way.
You can enable the ERS in your Policy Nodes and then run a curl command to query via REST API.
In the examples below, 192.168.21.100 is my PAN (it should always have a good view of the system status) - you would have to make this flexible to ensure you hit the currently active PAN.
To demonstrate the return values, I use the Get-By-Name method to query status of "ise02" (which is a PSN), and "ise01" (which is my one and only PAN). I think this reflects the Admin node personas and their status.
abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise02' | grep PapNode
"isPapNode" : false,
"isPrimaryPapNode" : false,
[abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise01' | grep PapNode
"isPapNode" : true,
"isPrimaryPapNode" : true,
Hello Arne!
Many-many thanks for your answer - yes, that is exactly what I needed but this is 2.2-specific, that is why I haven't noticed that in my 2.1 SDK portal 
That is very useful info still, many thanks!
Regards, Amir
Arne's method is the suggested one, I think.
Meanwhile, for those of us who are not yet on 2.2 , the following will work: try to create user via API.
While primary will respond with HTTP 201, Secondary will tell you:
<!DOCTYPE html>
<html>
<head>
<title>
- Error report
</title>
<style type="text/css">
H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}
</style>
</head>
<body>
<h1>
HTTP Status 401 - The requested operation is allowd on PAP Node only.
</h1>
---snip---
You can parse response (I did that with Beautifulsoup on a python - so picking h1 header) and correctly identify secondary/primary PAN. Not an ideal solution, but works well.
