cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1935
Views
0
Helpful
7
Replies

ISE HA Deployment prerequisite issue.

xuekai zhang
Level 1
Level 1

I encountered this HA node deployment issue.Actually , I finished this feature with the enviroment of CA and DNS.However,Can I finish ISE‘s HA deployment without CA and DNS.

When I adding the second ISE node to the first one,I fill the blank with the second ISE's server IP address,the system notification indicates that Unalbe to authenticate xxx.Please check server and CA certificate configuration and try agian.

After that notification, I deploy the CA and DNS server.Also I signed the certificate and install the root CA for both ISE nodes,DNS records also be done.After that,I fill the blank with second ISE's FQDN and administration account .It can be done successfully.

So if my enviroment doesn't have CA and DNS.Does that mean I can't finish ISE'S HA function?

Any help or suggestion will be appreciated!
 

2 Accepted Solutions

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hello-

DNS: Your ISE nodes must be resolvable via DNS before they can be registered in a "cluster." In fact, I think the DNS is also required before the install script would complete.

CA: On the other hand, a CA is not required. If you don't have a CA you can use the self-signed ISE certificates. You will need to import the self-signed certs to "Certificate Store" in ISE

Hope this answers your question(s)

 

Thank you for rating helpful posts! 

View solution in original post

abwahid
Level 4
Level 4

Hi,

You can not do ISE HA deployment without CA and DNS.

DNS :  When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.

CA :  During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:

-If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.

-If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.

-If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.

View solution in original post

7 Replies 7

nspasov
Cisco Employee
Cisco Employee

Hello-

DNS: Your ISE nodes must be resolvable via DNS before they can be registered in a "cluster." In fact, I think the DNS is also required before the install script would complete.

CA: On the other hand, a CA is not required. If you don't have a CA you can use the self-signed ISE certificates. You will need to import the self-signed certs to "Certificate Store" in ISE

Hope this answers your question(s)

 

Thank you for rating helpful posts! 

Hi Neno Spasov:

You are correct! So the CA enviroment is not must needed.However DNS record is a must be.

I want to rate your answer as the correct answer,but when I click the correct answer,the system indicate it's an invlaid answer,I'll try to find how to rate your answer as the correct answer.

Anyway Thansk!

Glad I was able to help! Thanks for the rating! :)

Hi Neno Spasov:

After the deployment can these two nodes work normaly withou DNS.

Can I finish this feature just through IP address,not in the method of FQDN.

abwahid
Level 4
Level 4

Hi,

You can not do ISE HA deployment without CA and DNS.

DNS :  When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.

CA :  During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:

-If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.

-If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.

-If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.

Hi abwhaid:

Thanks!

Your replay is helpful to me!

I can do ISE's HA with DNS enviroment,without CA server.

 

Hi abwahid:

After the deployment can these two nodes work normaly withou DNS.

Can I finish this feature just through IP address,not in the method of FQDN.

 

 


 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: