Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1674
Views
0
Helpful
4
Replies

ISE - HA

Go to solution
KingTech1
Level 1
Level 1

‎03-18-2020 03:38 AM - edited ‎03-18-2020 03:43 AM

Hello,

 

I need some advice if possible, we're licensed for 4 small ISE servers and someone ages ago installed a 5th and didn't get it licensed properly.

 

So I need to turn one off until we get funds to pay for a 5th and I cant decide which one.

 

Our setup is as follows:

x2 PAN servers in HA

x2 PSN servers in HA

x1 PSN server in DMZ for guest portal

 

ISE is just used for Radius for wifi (so clients can connect) and guest portal for visitors.

 

I'm thinking I turn off and deregister (?) one of the PSN servers but is that the safest one to do??

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KingTech1

‎03-18-2020 05:23 AM

Deregister the node from the deployment first - then you can safely shut it down. Here is the section of the Admin Guide telling you the detailed steps:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_011.html#ID665

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-18-2020 04:07 AM

If the system isn't heavily loaded then you could add the PSN role to one of the PAN/MnT nodes and decommission one dedicated PSN (the one that's listed second in your network access devices). It's not strictly a best practices design but will work functionally and make your licensing compliant.

0 Helpful

Go to solution
KingTech1
Level 1
Level 1
In response to Marvin Rhoads

‎03-18-2020 04:16 AM

Thanks for this, great idea.  None of the servers are heavily used.

 

You dont by chance know what steps do I need to follow to get rid a of a PSN server from ISE?  I dont think just turning it off will cut it.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to KingTech1

‎03-18-2020 05:11 AM

You can delete the node.  its like same sitatuation think as if one of the node fails, ISE Group shiftover traffic to other available nodes.

 

here is some referenec guide :

 

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1134272

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KingTech1

‎03-18-2020 05:23 AM

Deregister the node from the deployment first - then you can safely shut it down. Here is the section of the Admin Guide telling you the detailed steps:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_011.html#ID665

0 Helpful
Customers Also Viewed These Support Documents