Thanks Charles for your answers.

It helps very well.

Kevin

Hi Charles,

I have follow up questions.

Currently I have ISE deployment with 2 node:

• ISE 1 : Primary Admin, Secondary Monitoring, PSN
• ISE 2 : Secondary Admin, Primary Monitoring, PSN

When ISE 1 still up, I can use ISE 2 as radius server for some of my NAD, it's split deployment, isn't it?

When ISE 1 is down, my NAD that use ISE 2 as primary radius server can not authenticate, nor the NAD that use ISE 2 as secondary radius server.

I need to promote ISE 2 to become primary admin to be able to authenticate through ISE 2.

Is this a normal behavior? Do we need to manually promote secondary admin node to make use of redundancy of PSN?

Or do I miss something in my configuration?

Thanks for your help.

Kevin

No, something else must be happening. Assuming it’s just a standard authentication to either the internal data store or an external data store (i.e. not trying to create a guest account) ISE 2 should authenticate clients while ISE 1 down. I’d probably start by looking at the live log while in that state.

George

hi .

I guess this setup is no more  small deployment , but distributed deployment.

This small deployment HA makes no sense to me. 
With such a great Team at Cisco ... such a huge product Cisco ISE - not possible to do automatic failover with two nodes (in year 2020)...

Guys, I'm a network engineer. If ISE1 goes down... it will be faster for me to fix ISE1 versus go to ISE2 and promote it manually as primary node...

ISE eats so many resources, but has so many issues! This two node automatic HA not possible! vMotion on VMware - not possible, snapshots / backups on VMware - not possible! and list goes on... :) 

ISE two node work just fine.  The PSN functionality work independently of the other functions.  If your primary admin node goes down in a two node deployment you lose access to administer and monitor the system until you promote the secondary to primary.

You don't want automatic promotion in a two node setup because when the promotion happens services restart and all functionality is lost.  If you had a primary admin node go down in the middle of the day and Cisco allowed automatic failover you would have a 10-20 minute outage.  With manual promotion you get to control when the outage occurs.

This is link is from the 2.3 guide but scroll down to the table that shows what services are available when the Admin node is down:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011.html#ID57

Thank You @paul , this is great answer!

I was actually so upset ... as I configured small ISE deployment easily (but 2nd PSN is not responding to RADIUS requests at all when 1st node is UP or DOWN). And in GUI/CLI everything seems to be fine, all services running on 2nd node... using latest ISE 2.6 with latest Patch 6. 

 @paul I have actually fixed my first issue... it was firewall ... Policies needed to be updated to allow communication with ISE2 server.

However, I found another issue which I think cannot be re-solved in this HA mode. 
What if ISE1 generated certificate for the user? It has separate CA and as I see these certificates are not synchronized across in HA and ISE2 is not aware of this at all?

Thank You

See the following link in the Admin Guide showing the ISE Internal CA hierarchy in a distributed deployment.

Although the Primary and Secondary nodes have separate Node CA and Endpoint CA certificates, they should be signed by the Root CA of the Primary PAN.

If you are not seeing the same (or if you have upgraded from an earlier version of ISE), you might need to regenerate the ISE CA Chain.