Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1484
Views
5
Helpful
5
Replies

ISE high availability

Go to solution
pohjaton1
Level 1
Level 1

‎03-16-2018 05:27 AM

Hi, I am searching clear documentation which tells what service locates on which persona and what is affected in case PAN or Secondary admin and primary monitoring or PSN is down.

Does the guest sponsor and authentication portals run on every PSN etc.

Could you please point me to correct destination for such combined documentation. Services per persona and what is affected when one of them is down.

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎03-16-2018 10:06 AM

Recommend review the Reference Presentation of BRKSEC-3699 at ciscolive.com.

There are a number of flows which can be impacted while PAN is unavailable, including portal flows.  For example, self-registered guests require PAN to be accessible to first instantiate the Guest account.  Device Registration (hotspot, guest, BYOD) also requires an update to central endpoint DB.

Yes, be sure to implement PAN failover to limit the window of outage.

Craig

View solution in original post

5 Replies 5

Go to solution
paul
Level 10
Level 10

‎03-16-2018 05:57 AM

This link shows what is available if the primary PAN is down:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Set Up Cisco ISE in a Distributed Environment [Cisco …

If you have PAN autofailover enabled you shouldn't lose access to any of the PAN features though. 

All ISE nodes log to both M&T nodes by default so it doesn't matter which one is up or which one is down.  As long as you have one available you should have access to the services provided by the M&T.

The PSNs are independent entities that are capable of running all the authentications you ask of them including portal services.  As long as your NADs are correctly pointed to multiple PSNs or the PSNs are behind a load balancer it shouldn't matter if you lose a single PSN.

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎03-16-2018 10:06 AM

Recommend review the Reference Presentation of BRKSEC-3699 at ciscolive.com.

There are a number of flows which can be impacted while PAN is unavailable, including portal flows.  For example, self-registered guests require PAN to be accessible to first instantiate the Guest account.  Device Registration (hotspot, guest, BYOD) also requires an update to central endpoint DB.

Yes, be sure to implement PAN failover to limit the window of outage.

Craig

Go to solution
pohjaton1
Level 1
Level 1

‎03-18-2018 11:38 PM

Thanks for the help. This was exactly what I was looking for.

Just hoping there would be a clear matrix available in the ISE resource pages, to show all this in one single look.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to pohjaton1

‎03-19-2018 07:49 AM

If there was a single document on ISE HA, it would be the reference version of BRKSEC-3699 session posted to ciscolive.com.  It is over 500 slides which are more reference content than slideware.  I try to track all details, even if not covered during Live presentation, to keep this as a consolidated reference on topic of HA and scale.

0 Helpful

Go to solution
pohjaton1
Level 1
Level 1
In response to Craig Hyps

‎04-11-2018 11:57 AM

Thanks again. Spent some hours with these and I feel enlightened

0 Helpful
Customers Also Viewed These Support Documents