Solved: Re: Configure secondary node Administration and Policy Service roles

michael.burke · ‎03-29-2022

The environment consists of 2 nodes.

Primary - Personas: Admin, Monitoring, Policy service. Services: Session, Profiler and Device Admin

Secondary - Personas: Monitoring. Services : None

The project plan is to relocate the primary node, during which time we would function solely on the secondary node.

My questions are:

1. Can I add the Administration Role to the Secondary or is there a licensing impact that would prevent this?

2. Can I add the Policy Service > Session Services role to the secondary?

3. Can I add the Policy Service > Device Admin Service role to the secondary? I believe this does require a license(TACACS)

Thank you for your time and attention to this post.

Mike.Cifelli · ‎03-31-2022

I do have one follow up. If I were to give the secondary the Device Admin Service role and then remove it from the primary, would TACACS still work or are there other considerations necessary.

-It would still work and be in compliance since the service is only enabled on one node.

View solution in original post

Mike.Cifelli · ‎03-30-2022

What version of ISE are you running? Asking because the licensing model has changed as of 3.0. For reference:

3.x - Cisco ISE License FAQ

License migration guide: Products - ISE Licensing Migration Guide - Cisco

Cisco Identity Services Engine - Cisco Identity Services Engine Ordering Guide - Cisco

1. Can I add the Administration Role to the Secondary or is there a licensing impact that would prevent this?

-Are these VMs? For 3.0 and lower VM perspective you will require a license per node based on resources in use. Virtual appliance licenses are available in three forms, VM Small, VM Medium, and VM Large. For reference:

VM License	RAM Capacity of VM Node	Number of CPUs of VM Node
VM Small	16 GB	12 CPUs
VM Medium	64 GB	16 CPUs
VM Large	256 GB	16 CPUs

FYSA As of 3.1 there are VM common licenses.

2. Can I add the Policy Service > Session Services role to the secondary?

-Yes your licenses (base/essentials, etc.) will be shared between the PSN nodes. Example: Ratio is 1:1 for onboarded endpoints via 802.1x (1 base: 1 endpoint OR 1 essential: 1 endpoint)

3. Can I add the Policy Service > Device Admin Service role to the secondary? I believe this does require a license(TACACS)

-Correct. A Device Admin License is required for this. A license is required for each PSN you enable device admin service on. Example: 2 PSNs with device admin service enabled = 2 device admin lics

Lastly, ISE comes with built-in 90 day eval licenses that will ensure ISE services are not interrupted so this could save you should you need to purchase licensing and/or dont have proper licensing enabled. After the 90 days you need to have the proper licensing. Strongly suggest taking a look at the links shared and working with your Cisco rep. HTH!

michael.burke · ‎03-30-2022

Thank you Mike.Cifelli,

I have reached out to our rep to follow up on this. Our ISE is Version: 2.6.0.156. I have confirmed that the primary server is configured with 16CPUs / 32GB Memory which exceeds the table for the VM Small License but that is what the license page shows as in compliance.

I do have one follow up. If I were to give the secondary the Device Admin Service role and then remove it from the primary, would TACACS still work or are there other considerations necessary.

Mike.Cifelli · ‎03-31-2022

I do have one follow up. If I were to give the secondary the Device Admin Service role and then remove it from the primary, would TACACS still work or are there other considerations necessary.

-It would still work and be in compliance since the service is only enabled on one node.

michael.burke · ‎03-31-2022

Thanks again. I am however more confused by the licensing. The secondary node has the same resources as the primary. I'm not sure how we are in license compliance.

Primary node : 16CPUs / 32GB Memory

Secondary node: 16CPUs / 32GB Memory

Small VM license in compliance.