Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
1
Replies

How Cisco ISE HA Work?

PutmanoAIT
Level 1
Level 1

‎04-03-2018 09:51 PM - edited ‎02-21-2020 10:52 AM

I''m implementing CIsco ISE for TACACS and Dot1x for endpoints authentication. We have 2 units of Cisco SNS3515 and we planned for HA deployment, one at DC and other one at DR. There are 2 different subnet ip address. I haven't been implemented Cisco ISE before. I'm not sure how Cisco ISE HA work. How network devices configure for tacacs? Do we need to add two IP address of the ISE Server? Do we need to install two certification for endpoint dot1x? Thank for your kindly comments.

 

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎04-03-2018 10:21 PM

In the case where you only have two ISE nodes, and each one of them is enabled for TACACS Service, then the solution is simple.  On your NAS/NAD devices you simple configure ISE1 as primary and ISE2 as secondary.  You can of course be more creative than that, and load balance the requests across both ISE nodes to get your value for money!  e.g. any NAS device with an even IP address goes to ISE1 and the odd IP addresses go to ISE2 - or whatever.  You get the idea.  Just be careful with this primitive load balancing methodology - if you are not careful you could cause an imbalance in the loading of one of the ISE servers.  And also remember to ensure that if either ISE server fails, that the remaining server can handle the load.  If you want this kind of deterministic behaviour, then go for the idiot-proof method of sending all Primary TACACS requests to ISE1 and secondary to ISE2.  Your NAS will decide when to use one or the other, depending on health checks.

Regarding 802.1X - when you install the servers, just install the same certificate on both servers for the EAP role.  They don't need to be different certificates.  Put both server FQDN's into the SAN (see below).

Same goes for the Admin role cert - make one cert with the same Subject Common Name, and then specify you ise01.mycompany.com and ise02.mycompany.com in the SAN (Subject Alternative Name).  This ensures that your web browsers can trust both servers, no matter which one you are browsing to.

 

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents