Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4272
Views
0
Helpful
3
Replies

Correct way to reboot ISE PSN node in a distributed deployment

Go to solution
mark373737
Level 1
Level 1

‎09-15-2015 05:41 AM - edited ‎03-10-2019 11:03 PM

Hi All,

Two of my ISE nodes (in an 8 node 1.2 deployment) have expired CLI admin passwords (I know I'm stupid!)

One is the Secondary MnT node and one is a PSN node (1 of 4).

I have information on what I need to do to get a new password but do I need to de-register the nodes first or can I just reboot them.

Will my other three PSN nodes automatically re-authenticate users on the rebooting PSN node or should I request down-time?

Thanks for any help in advance

 

Mark

 

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tim Steele
Level 1
Level 1
In response to mark373737

‎09-15-2015 10:43 AM

Right, shouldn't be a problem.  You definitely wouldn't want to deregister it - you would only do that if you needed to reimage it or something like that.

Just as an FYI, if you are only talking about wireless use cases, you could always disable that particular PSN from the Radius Authentication and Radius Accounting servers globally (not on the WLAN).  If you make a change to the WLAN, it will "bounce" the WLAN.  But, if you globally "admin disable" that particular PSN, it will just keep the WLC from using that PSN until you enable it again.

Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tim Steele
Level 1
Level 1

‎09-15-2015 06:56 AM

Hi Mark,

Unfortunately, that is a common thing, so don't feel bad! :)  First, I would recommend that you always have a second CLI account created on each node of the deployment (preferably not created at the same time so the expiry will vary :) ).  This way, if your admin (for instance) account expires, you can just login to the CLI with your other account to reset its password.

The process you need to go through now is called password recovery and will need downtime for the node(s).  If your NADs are configured correctly, they should be pointing to multiple PSNs.  So, when you take the one PSN down for password recovery, users shouldn't be affected.  Review your WLC/Switch config to verify.

Here is a link to the instructions: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_postins.html#64382.

Tim

0 Helpful

Go to solution
mark373737
Level 1
Level 1
In response to Tim Steele

‎09-15-2015 08:05 AM

Thanks Tim,

Yes I have all four PSN's configured in each NAD...so I can just reboot one PSN without having to deregister it etc...yes?

 

M

0 Helpful

Go to solution
Tim Steele
Level 1
Level 1
In response to mark373737

‎09-15-2015 10:43 AM

Right, shouldn't be a problem.  You definitely wouldn't want to deregister it - you would only do that if you needed to reimage it or something like that.

Just as an FYI, if you are only talking about wireless use cases, you could always disable that particular PSN from the Radius Authentication and Radius Accounting servers globally (not on the WLAN).  If you make a change to the WLAN, it will "bounce" the WLAN.  But, if you globally "admin disable" that particular PSN, it will just keep the WLC from using that PSN until you enable it again.

Tim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents