07-25-2017 05:36 AM - edited 03-11-2019 12:53 AM
All,
quick question, I have two ise servers and in order to create ha, can I run one that does admin, policy and monitoring and another one which does policy only?
if I want to have pair of ise running all three services then i understand I will need another node to do a health check and failover between the primary and secondary.
This is my ideal scenario but not what I have as I only have 2 ISE servers.
How would you set it up ?
two servers running all three services with manual failover or one as primary and one as service node only ?
Solved! Go to Solution.
07-25-2017 06:42 AM
Your scenario gives you no failover should the Admin node go down.
Run two servers with all three personas in a Manual Promotion if needed.
07-25-2017 06:42 AM
Your scenario gives you no failover should the Admin node go down.
Run two servers with all three personas in a Manual Promotion if needed.
07-25-2017 07:32 AM
wouldn't the policy server not continue to work even if admin server is down ?
I guess the question I am asking is , can ISE survive without monitoring and admin node?
in order to run them as failover, do you make one primary and then register the other server as secondary ?
I tried doing this but it gave me an error so I think I need to export each ISE certificate and import it to the other one
many thanks
07-25-2017 07:48 AM
No, the PSN will not continue to work without the PAN. See this table here:
Here is the reference for that table:
Yes, you have to install the certs from one to the other and then register them. See the section entitled:
07-28-2017 01:53 AM
many thanks for this.
I have setup primary and secondary successfully.
My question is, on switches and wlcs, do I point the devices to use primary and secondary ?
if yes then would secondary process requests or will it ignore them while not promoted to primary ?
when secondary takes over and it is promoted, it retains it existing ip and does not take over the primary ip, correct ?
in another word, there is no system such as hsrp. I then think this is not very scalable as if you have 10 policy servers then does that mean one has to add all 10 to its radius communication rather than adding one as gateway which then passes the requests down such as glbp?
i guess one way is have something like f5 in front of the ise but that makes ise itself not a great solution and doesn't have a built in scalable option
11-05-2017 06:14 PM
Hi,
I'm interesting with your question:
"when secondary takes over and it is promoted, it retains it existing ip and does not take over the primary ip, correct ?"
Have you got the answer yet? I'm curious too with that. When Secondary takes over, do I need use Secondary IP address or Primary IP address to access PAN?
Thank you
Arie
07-25-2017 07:55 AM
Hi,
If the policy server (PSN) is up authentications would still be working.
But if you do not have a secondary admin and the primary admin goes down that means you cannot manage the ISE.
You cannot create/delete policies, deploy anything, logs etc. if the admin node is down.
To register a secondary node, complete the following steps:
Step 1 Log into the primary Administration ISE node.
Step 2 Choose Administration > System > Deployment.
Step 3 Click Deployment from the navigation pane on the left.
The Deployment list page appears.
Step 4 After you have configured your primary Administration ISE node, do one of the following:
•Choose Register > Register an ISE Node to register a secondary ISE node. See the "Configuring a Cisco ISE Node" section for information on how to configure your primary Administration ISE node.
•Choose Register > Register an Inline Posture Node to register a secondary Inline Posture node. For more information on deploying an Inline Posture node, see Chapter 10, "Setting Up Inline Posture."
Note We recommend that you decide on the type of node at the time of registration. If you want to change the node type later, you have to deregister the node from the deployment, restart Cisco ISE on the standalone node, and then reregister it.
Cisco ISE prompts you to enter the following information:
•Node hostname or IP address.
•User Name
•Password
Step 5 Enter a DNS-resolvable hostname or IP address of the secondary Cisco ISE node.
Note You must have defined the IP address and the FQDN of the secondary node in the DNS server.
Step 6 Enter a UI-based administrator credential for the standalone node in the Username and Password fields.
Before you register, the secondary node should be in the standalone state. After you register it to the primary, it begins to receive database updates from the primary. To view the status of the replication, you can go to the Deployment list page (Administration > System > Deployment) and look at the Replication Status information provided there.
Step 7 Click Next to go to the edit configuration page. Cisco ISE contacts the secondary node, obtains some basic information such as the hostname, default gateway, and so on, and displays it
If you have chosen to register a secondary ISE node, you can edit the configuration of the secondary node. See Next Step for information on the Administration, Monitoring, and Policy Service options.
If you have chosen to register a secondary Inline Posture node, no additional configuration needs to be performed at this point.
Step 8 Click Save to save the configuration.
After you register the secondary node, the configuration of the
Please check this link for more info:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html
Regards,
Aditya
Please rate helpful and mark correct answers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide