CISCO ISE HA

Saeed Abd Elhalim Hamada · ‎01-13-2025

i have 2 node Cisco ISE3.3

i need to make HA

frist node have all configuration and AD external store and everthing

what i need to do at the sec node befor i make it as secondary ??

Rob Ingram · ‎01-13-2025

@Saeed Abd Elhalim Hamada patch the new node to the same version as the Primary node, ensure both nodes trust each others "admin" certificate, both nodes are configured with the same DNS servers and the time is synchronised, via the same NTP server.

Saeed Abd Elhalim Hamada · ‎01-13-2025

the sec node will be sec in PAN and MNT , no need to join the SEC to AD ?? it will join aumtaitcally ? lile the primarry ?

Rob Ingram · ‎01-13-2025

@Saeed Abd Elhalim Hamada once joined to the cluster you will need to manually join to your external identity sources (AD). You would also want to specify the node as a PSN (in addition to Sec PAN/MNT). Enable other node specific features such as Profiling probes on the new node. And obviously configure your NADS (switches/WLC etc) to point to the new ISE node for AAA.

Saeed Abd Elhalim Hamada · ‎01-13-2025

so you mean i need to join the Sec to AD first before i make it as a secodary node ?

Rob Ingram · ‎01-13-2025

@Saeed Abd Elhalim Hamada no, you join to AD after you've joined to the cluster.

MHM Cisco World · ‎01-13-2025

https://www.google.com/search?q=ccie+ISE+HA+&client=ms-android-samsung-gj-rev1&sca_esv=4fbe7c869920a6f3&ei=lhSFZ-KgLduOxc8P6Jun8QM&oq=ccie+ISE+HA+&gs_lp=EhNtb2JpbGUtZ3dzLXdpei1zZXJwIgxjY2llIElTRSBIQSAyBRAhGKABMgUQIRigATIFECEYoAFI2yRQ8gdYxyJwAXgAkAEAm...

This video I know it for old ver. But the idea is same check it.

Marcelo Morais · ‎01-15-2025

Hi @Saeed Abd Elhalim Hamada ,

1st, take a look at Administration > System > Deployment, if all Node Status are Connected.

2nd, take a look at Administration > Identity Management > External Identity Sources, if all Status are Operational.

Hope this helps !!!