Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
3
Replies

Cisco ISE Distribuited Personas

ivan.martin
Level 1
Level 1

‎08-10-2017 09:11 PM - edited ‎03-11-2019 12:55 AM

Hi My name is Ivan

Please can you help me to setup solution cisco ISE with deployment distribuited

I need to create: 

2PAN in HA

2Mnt in HA

6PSN (3 for Wired and 3 for Wireless)

Do you have any documentacion for this setup?

What happen with the certificates? Does it is necessary install and configure a certificate to each ISE Persona?

How can I configure HA for PAN and Monitoring, and How can I associate PAN with MnT and PSN

thanks for your answer

Regards.

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎08-11-2017 07:08 AM

Hi Ivan,

Reference docs: https://communities.cisco.com/docs/DOC-64012

I shall assume for certificates you will be using an internal CA eg Windows

Here is a list of basic steps to create the cluster:

- Build the ISE servers from ISO/OVA, ensure there is DNS entries for the FQDN of each of the servers and valid time sync from NTP

- Import the Root Certificate of the Internal CA into the Trusted certificate store of ISE

- Generate a certificate signing request for the roles (Admin, EAP, Portal) - generate the CSR and sign this on the Internal CA

- Bind the signed certificate

- Repeat this procedure on all the ISE nodes - ensure you import the trusted root certificate!

- On what will be the Primary PAN goto Administration > System > Deployment and click Make Primary. Untick Monitoring and Policy Service. The services will probably restart

- After the services have restarted on the Primary PAN go to Administration > System > Deployment and click Register an ISE node

- Enter the FQDN of one of the other ISE nodes (this obviously needs to be resolved in DNS), enter username and password. When prompted select the Persona
 
- Repeat these steps to register all remaining nodes - ensure you select in total 1 x PAN (Primary), 1 x PAN (Secondary), 1 x MnT (Primary), 1 x MnT (Secondary), 6 x Policy Service Nodes

- After you register the nodes the services will restart and the nodes will sync, this will take a while

A basic ISE cluster has now been built.

0 Helpful

ivan.martin
Level 1
Level 1
In response to Rob Ingram

‎08-11-2017 07:21 AM

Hi Rob

Thanks for your answer. I have  a question:

when you say: Enter FQDN of node ISE user and password, the node should be in standalone way?

After that, i need to put check in the persona that will work?

How can  I asóciate the cluster PSN? With PAN and MnT?

regards 

0 Helpful

Rob Ingram
VIP
VIP
In response to ivan.martin

‎08-11-2017 07:39 AM

Yes, from memory any additional nodes added to a cluster needs to be in standalone mode. If it had already been set to Primary, it would tell you it needed to be in standalone mode - but then you can just convert back to standalone mode and then register it.

Once you have configured the first node, which is the Primary PAN you have created the cluster. You will do all the work on the Primary PAN, when you register the additional nodes they are joined to that cluster.

For each node you add just select the persona you want and it's priority (primary/seconday) for PAN/MnT only. Make sure you untick the personas you don't want. There can only be 2 x PAN and 2 x MnT in a cluster. There can be numerous PSN

0 Helpful
Customers Also Viewed These Support Documents