Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2662
Views
0
Helpful
10
Replies

ISE distribution system with 4 nodes & Licensing

Go to solution
pemasirid
Level 1
Level 1

‎01-14-2013 11:36 AM - edited ‎03-10-2019 07:58 PM

Hi,

Question 1

-------------

We have 04 ISE appliances and we are planning to deploy in distributed system such way that 02 ISE will act as PRI/SEC with the roles PAD/M&T and other 02 to be act as PRI/SEC with PDPs.

Configuring PAD/MT pair is straighforward and has no doubts, however we have issue with other two nodes which is  (PDP) as PRI/SEC.

ISE giving us warning that atleast one node should have monitor role enabled, however by the time Admin role is already enabled where we cant disabled.

If someone has deployed this, appreciate can guide me in proper direction or share any document how to achieve this requirement.

Question 2

-------------

My other querry is about the licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against only 1 ISE appliance giving it's serial number and that will be installing on Primary PAP/MT box only, and what about other two boxes which will act as PRI/SEC PDPs and it will still giving warning that there's no licenses.

Question 3

-------------

When we deploy distributed system with above senario, what ISE node IP addresses that we need to configure on NAD (switch), will it be all 04 ip addres or it will be the pair of  PAP/MT or PDP..?

Thanks in advance.


Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
bikespace
Level 1
Level 1

‎01-15-2013 03:49 AM

There is no concept of primary and secondary PDP. You have your pap primary and secondary and MNT secondary and primary respectively. You just need to get your PDP's to the point of stand alone, then add it to the deployment on your primary admin node. Sounds like you're trying to do that last bit by working on your PDP.

Gaz


Sent from Cisco Technical Support Android App

View solution in original post

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to pemasirid

‎01-16-2013 02:54 AM

There are the following roles that can be assigned in a deployment:

- Administrative node (aka PAP). Must be 1 PAP and optionally a secondary

- Monitoring Node (aka M&T). Must be at least one and optional a standby

- Policy Services Node (aka PDP): Performs RADIUS and profiling functions

Each node can take one ore more of these roles

For your configuration I would recommend the following:

- Node 1: Administrative

- Node 2: Monitoring

- Node 3: Policy Services Node

- Node 4: Policy Services Node

all connected in one deployment with a single license

Create Node 1 first and then add all the others to the deployment

In addition you should enable the secondary administrative functions on one of the nodes (you should choose whcih) so can act as a backup. This will only get used in case of failure of primary adminsitrative role. Can also enable secodnary M&T on a node but be aware that this is an active standby function and so is always operational

Hope that helps

View solution in original post

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to pemasirid

‎02-25-2013 11:56 PM

The license should be generated against the primary administrative node. Once installed on adminstrative node will replicate to all servers in the deployment

View solution in original post

0 Helpful
10 Replies 10

Go to solution
jrabinow
Level 7
Level 7

‎01-14-2013 12:10 PM

Question 1

- Do not know why you are putting this into two deployment.s I think should create a single deployment with primary, M&T and two PDP nodes

Question 2

If there was a single deployment there would be no warning about licenses

Questions 3

You configure the PDP addresses on the NAD. It is the PDPs that process RADIUS traffic

0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to jrabinow

‎01-14-2013 09:21 PM

Question 1

- Actually this is the requirement that we need to achieve, can you please let us know whether this is possible or not.?

- Your answer is not clear to mean, when you said " single deployment with primary, M&T and two PDP nodes", what node roles will be PRI and what node roles will be SEC.?

Rest of the questions answers depends on the reply to question 1.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to pemasirid

‎01-16-2013 02:54 AM

There are the following roles that can be assigned in a deployment:

- Administrative node (aka PAP). Must be 1 PAP and optionally a secondary

- Monitoring Node (aka M&T). Must be at least one and optional a standby

- Policy Services Node (aka PDP): Performs RADIUS and profiling functions

Each node can take one ore more of these roles

For your configuration I would recommend the following:

- Node 1: Administrative

- Node 2: Monitoring

- Node 3: Policy Services Node

- Node 4: Policy Services Node

all connected in one deployment with a single license

Create Node 1 first and then add all the others to the deployment

In addition you should enable the secondary administrative functions on one of the nodes (you should choose whcih) so can act as a backup. This will only get used in case of failure of primary adminsitrative role. Can also enable secodnary M&T on a node but be aware that this is an active standby function and so is always operational

Hope that helps

0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to jrabinow

‎02-24-2013 08:19 AM

Dear jrabinow/Gaz,

Many thanks for all your responses and taking time on this.

We just started the deployment after some long delays, now my last question in which node should I apply the license, can it be on any of the PDPs, because I have generated the license again this node's serial number and the same IP address has been given for network team to configure all the access switches and we do not want to change the role of this node.

thanks in advance.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to pemasirid

‎02-25-2013 11:56 PM

The license should be generated against the primary administrative node. Once installed on adminstrative node will replicate to all servers in the deployment

0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to jrabinow

‎02-26-2013 12:13 AM

Hi jrabinow,

Many thanks for all your patient answers to my questions.

0 Helpful

Go to solution
bikespace
Level 1
Level 1

‎01-15-2013 03:49 AM

There is no concept of primary and secondary PDP. You have your pap primary and secondary and MNT secondary and primary respectively. You just need to get your PDP's to the point of stand alone, then add it to the deployment on your primary admin node. Sounds like you're trying to do that last bit by working on your PDP.

Gaz


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Fabian del Campo
Level 1
Level 1
In response to bikespace

‎01-16-2013 10:38 AM

Hi,

I as understand, the deployment is:

Node-1 PAN  Primary + PMN Secondary

Node-2 PAN-Secondary + PMN Primary

Node-3  PSN

Node-4 PSN

But I have I doubt, If I do not have a load balancer, should I put PSNs in a group?

Regards,

Fabian

0 Helpful

Go to solution
bikespace
Level 1
Level 1

‎01-16-2013 03:40 PM

No great need for load balance at this level. Set up half your switches with PSN1 as primary radius, PSN2 secondary radius, then the other half the other way around.


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
mojuneja
Level 1
Level 1

‎03-03-2013 09:33 PM

Question 1

We have 04 ISE appliances and we are planning to deploy in distributed system such way that 02 ISE will act as PRI/SEC with the roles PAD/M&T and other 02 to be act as PRI/SEC with PDPs. Configuring PAD/MT pair is straighforward and has no doubts, however we have issue with other two nodes which is  (PDP) as PRI/SEC.  ISE giving us warning that atleast one node should have monitor role enabled, however by the time Admin role is already enabled where we cant disabled.  If someone has deployed this, appreciate can guide me in proper direction or share any document how to achieve this requirement.

Answer-  The type of ISE deployment you want to implement is Distributed with HA.

In this particular case, you must have PAN and one MNT and rest nodes can be PSN, which depends as per your requirement.

In your case you are going to run PAN & MNT on single node with HA and other 2 nodes are left for PSNs.

There is no concept of HA for individual PSN, your all PSNs will remain active; however you can distribute the requests coming from NADs between 2 PSNs, like configure some NADs with one PSN IP and rest with other PSN.

Question 2

My other querry is about the licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against only 1 ISE appliance giving it's serial number and that will be installing on Primary PAP/MT box only, and what about other two boxes which will act as PRI/SEC PDPs and it will still giving warning that there's no licenses.

Answer- First node in ISE is considered as Primary node under the ISE instance, so when you add more ISE appliances under that ISE instance all become secondary except the first one.

Hence you install licenses on the Primary ISE node on which you installed ISE in early stage or you introduced in your network.

So Licenses are meant for ISE instance not for the node.

Question 3

When we deploy distributed system with above senario, what ISE node IP addresses that we need to configure on NAD (switch), will it be all 04 ip addres or it will be the pair of  PAP/MT or PDP..?

Answer- On NADs you have to configure PSN's IPs, like you can configure one PSN IP as a primary and other one as a secondary.

0 Helpful
Customers Also Viewed These Support Documents