Solved: ISE HA-Mode (Control Webgui)

Xibachao1 · ‎11-11-2025

Dear professionals,

We have two Cisco ISE (Primary-Secondary)

We have concern about Device Admin Services. What is it purpose? We have research about it, seem likes relate to Tacas service.

In webgui ise-primary we can control all function like Livelogs, Cert, Endpoint .... but in webgui ise-secondary just have only Administration tab. We wonder it is relate to Device Admin service which the one missing in the ise-secondary?

Can anyone explain this?

Rob Ingram · ‎11-11-2025

@Xibachao1 enabling the Device Admin service won't require a reboot.

You can only manage the cluster (all the tabs) from the Primary PAN. The Secondary PAN will only manage the cluster if the Primary has failed and the Secondary is promoted. Only one can be active to manage the cluster.

View solution in original post

Rob Ingram · ‎11-11-2025

@Xibachao1 Yes, Device Admin is for TACACS+ management of networking devices. It looks like you just need to enable Device Admin on the secondary node. From the Primary Policy Administration Node (PAN) go to Administration > Deployment edit the Secondary node and select Enable Device Admin Service. Click Save

An a distributed deployment only the PAN will display all the tabs, as the configuration is performed centrally on the Primary PAN, which is why you will not see all the tabs on the other node(s).

Xibachao1 · ‎11-11-2025

Hi @Rob Ingram ,

Thank for you support.

I wonder one more if i do enable that config have any require reboot or something downtime?

And how can i manage all the tabs in the SPAN (Must over 3 nodes or it is impossible please tell me) ?

Thank you.

Rob Ingram · ‎11-11-2025

@Xibachao1 enabling the Device Admin service won't require a reboot.

You can only manage the cluster (all the tabs) from the Primary PAN. The Secondary PAN will only manage the cluster if the Primary has failed and the Secondary is promoted. Only one can be active to manage the cluster.

balaji.bandi · ‎11-11-2025

You need to enable all nodes where required for the device admin service; this does not require a restart of ISE.

Only PAN will be able to manage all the nodes in the deployment

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Xibachao1 · ‎11-12-2025

Thank @Rob Ingram @balaji.bandi alot.

It seem likes both ISE using same database authentication (replicate). So i can understand that if ISE-Pri dies then all the database (drop, failed, passed) switch to ISE-Secondary too and not relate to the "Device admin" service, right?

Like user1 has failed many times in the ISE-Primary (20 times) and still keep that count on ISE-Second when ISE-Pri dies.

Rob Ingram · ‎11-12-2025

@Xibachao1 yes, but in a two node cluster, you have to manually promote the Secondary node to Primary. The PAN persona is independant to the Device Admin role. You just need to enable the services on both nodes, for them both to work as TACACS+ servers.

balaji.bandi · ‎11-12-2025

You have the option to always promote the other node as primary.

check the guide for reference :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_deployment.html#ID246

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help