ISE fail over

nicanor00 · ‎09-26-2013

Hi I have 2 ise 3315 working in stanalone mode

I have 2 sites

ISE_1 is installed on site 1 and manage user groupe_1

ISE_2 is installed on site 2 and manage user groupe_2

I am plannig to use the 2 ISE in fail over

I would like to configure

1. ISE_1 to be primary for user groupe_1 and secondary (backup) for user groupe_2

2. ISE_2 to be primary for user groupe_2 and secondary (backup) for user groupe_1

Please how can I configure it ?

Which midofication would I add on the switch, WLC and ISE ?

Thanks in advance for your help

chris_day · ‎09-26-2013

I would suggest you fallow the ISE user guide, I have done this a bunch but it's not simply answered in a forum and companies usually pay an APT certified integrator to do this. I'm not saying you can't figure it out, but be aware it's not easy for someone who has never done it before. You say your ISE nodes are at seperate sites, be aware of the bandwidth requirements for clustering ISE nodes together, you also need to know the difference between the roles and persona's as well. If you want to deploy a primary and secondary admin node you need a 1GB connection between the two nodes due to the DB replication requirements on the backend. Some good reading is also the TrustSec design guide, which is easily found online.

nicanor00 · ‎09-27-2013

1 GB for replication between the 2 node ?

Are you shure that absolutly need so muche bandwidth ?

I readed the user guide and I see that you can choose some module (persona) such as administration, monitoring, polyci in one node to be primary in one node and secondary in other node

But in my case I plan to use the

whole ISE_1 to be primary for user groupe_1 and secondary (backup) for user groupe_2

and whole ISE_2 to be primary for user groupe_2 and secondary (backup) for user groupe_1

Is it a good plan ?

Regards

ahmed.aborahal · ‎09-27-2013

Hello,

In this case, you can use a simple 2-node deployment scenario, in this scenario you will have ISE-1 as: primary admin, secondary monitor, and PSN. you'll have ISE-2 as: secondary admin, primary monior, and PSN.

Be aware of these points:

1- If ISE-1 went down, you have to access ISE-2 GUI and promote it manually.

2- If ISE-2 fails, no problem the monitoring persona failover happens automatically.

3- To load balance the users you are talking about, you have to do this based on NADs. for example you have 4 switches, so do the following:

A.make SW1 and SW2 point to ISE-1 and ISE-2 as the radius servers but give higher priority to ISE-1.

B.make SW3 and SW4 point to ISE-1 and ISE-2 as the radius servers but give higher priority to ISE-2.

So you have divided the job on the two nodes, if one is down the other will handle all the communications with the NADs.

check this document for all the info you mau need regarding distributed deployments ( and yes the connection speed between the two nodes should be 1Gbps)

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf

Message was edited by: Ahmed AboRahal to add the document link.

chris_day · ‎09-27-2013

Just to add to Ahmed's post, if you do the scenerio he posted which supports up to 2,000 or so nodes with ISE 1.1.X and 5,000 or so with ISE 1.2.X sized correctly you will have a signle pane of glass management and cluster. Everything works nice this way, you can manage, monitor, and patch from the primary admin node. I suggest once you go over 2,500 nodes that you should split your Policy Service Nodes from your Admin and Monitoring nodes and make sure those nodes are dedicated. You can deploy PSN's and have redundency and HA through the use of load balancers or radius batch command on your switches. Read the guide as it has all the exact supported numbers, the numbers I put in here are just off the top of my head, always refer to the doco and keep to a supported deployment.

If you do two seperate clusters you will have to manage in two different places and also license both clusters, I wouldn't consider this a good deployment. Only if you had two seperate AD's this might be required, and with that said ISE 1.3 has multi domain support on the road map, but it's release is a ways out. Read the trustsec documentation as well, not only does it provide best practices and deployment scenerio's, it also provides configuration examples of all components of the deployment.

nicanor00 · ‎10-01-2013

Hi , I have 2 separate ISE version 1.1 with 2 separate license

The 2 ISE are installed on 2 different cities

Please can you confirm 1 GB for replication between the 2 node ?

Are you shure that absolutly need so muche bandwidth ?

I need to choose the right fail over option

I readed the user guide and I see that you can choose some module (persona) such as administration, monitoring, policy in one node to be primary in one node and secondary in other node

But in my case I plan to use the

whole ISE_1 to be primary for user groupe_1 and secondary (backup) for user groupe_2

and whole ISE_2 to be primary for user groupe_2 and secondary (backup) for user groupe_1

Is it a good plan ?

chris_day · ‎10-01-2013

The 1GB link is required between the Primary Admin Node and the Secondary Admin Node. I'm still not sure if you are building two seperate clusters and licensing each cluster itself or if you are doing a single cluster. If you are doing a signle cluster and don't have a 1GB link between data centres then I would suggest 3 ISE Node.

Site A Server 1 (Primary Admin Node, Secondary Monitor, PSN)
Site A Server 2 (Secondary Admin Node, Primary Monitor, PSN)
Site B Server 3 (PSN)

Make sure you follow the TrustSec and User Guide as at a certian point you must break the PSN persona from the Admin and Monitoring Nodes and make them dedicated. ISE is not easy for someone who has no training, I would suggest getting an APT certified ISE integrator in to make sure this goes in correctly. Cisco has strict requirements for ISE deployments, you should have a High Level Design verified by Cisco or a certified partner.

nicanor00 · ‎10-01-2013

Thanks for your answer

I would like to know : if I have license for

Site A Server 1 (Primary Admin Node, Secondary Monitor, PSN)

Do I need also another license for

Site A Server 2 (Secondary Admin Node, Primary Monitor, PSN)

As I tols you I have 2 ISE with 2 different licence for site 1 and site 2

I woul like to know If I can buy 2 other ISE as secondary for the site 1 and site 2 without additionnal license

Regards

mparthan · ‎10-01-2013

Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.

That said, you would not need to install a license on the Secondary Admin node on site A Server 2.

If you plan on buying two other ISE units, what personas do you plan to deploy them in?

chris_day · ‎10-01-2013

As Malavika said, licensing is very simple with ISE. You only need to install your license on the Primary Admin Node, and this licenses your entire cluster. Licensing is done on a per concurrent end point license, the nodes are not licensed. You can have 100 end points licensed and put 10 ISE nodes in your cluster and the licensing does not change. You do need to have maintenance purchased for your nodes; Cisco needs to pay for that enterprise DB that runs ISE and Oracle is not cheap, so if Cisco find you added nodes into your cluster without purchasing the node or maintenance for the node, you could find yourself without support. The nodes are not licensed so it's done a lot like CME, the licensing is on the honor system, but it's easy for TAC to find out if you are adding ISE VM's without maintenance.

blenka · ‎10-03-2013

For grouping nodes, deleting etc

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1134283

For initial configuration primary & adding secondary

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

nicanor00 · ‎12-18-2013

Hi all and thaks for your answer

@Chris, if I implement your design,

Site A Server 1 (Primary Admin Node, Secondary Monitor, PSN)

Site A Server 2 (Secondary Admin Node, Primary Monitor, PSN)

Site B Server 3 (PSN)

I will like to know :

Is there any replication between Server 3 and server 1 or server 2 PSN ?
what will be the bandwith requirement between Server 3 and Server 1 ?
What will be the bandwith requirement between server 3 and server 2 ?

4. Is it possible to configure server 1 and as primary PSN for user on site A and seconsary PSN for user on site B

Then configure server 3 as primary PSN for user on site B and secondary PSN for user on site A ?

so if server 3 fail, user on site B will be automaticaly authenticated on Server 1 or server 2 PSN ?

Please advise

Regards

bikespace · ‎12-19-2013

Your bandwidth requirements will depend on a multitude of variables, not massive but does need to be looked at deeper if you're worried. Depends on the size of the database.

Regarding question 4, you can control which PSN's are used by seting up your radius configuration on the NAD's to use their local PSN first and so on. Each NAD can be configured individually, so the choice is yours.