08-21-2018 07:02 PM - edited 08-21-2018 07:05 PM
Hi Team,
I'm testing ISE 2 node deployment and noticed policy service setting is changed during node deregister/re-register.
In normal status, only session service runs on both ISEs.
"Enable Profiling service" is un-checked with customer's requirement.
But after deregistration, the setting was change. "Enable Profiling Service" was moved to checked. And I couldn't uncheck the service due to greyed out.
Is it expected? Is there a way to un-check "Enable Profiling Service" during deregister/re-register operation?
Solved! Go to Solution.
08-21-2018 07:43 PM
That's working as expected because the de-registered node is now Standalone. You would need to make it Primary and then you can select the personas
08-21-2018 07:43 PM
That's working as expected because the de-registered node is now Standalone. You would need to make it Primary and then you can select the personas
08-21-2018 11:07 PM
08-24-2018 02:41 PM
That may be the case if you don't have plus license.
08-25-2018 11:03 PM
Hi howon,
Now the setting automatically enabled even though I un-checked "Enabling profiling service". So do you mean following is the expected behavior?
1) Without plus license, profiling service is always enabed.
2) If Plus license is installed, administrator can disable profiling service manually.
Why do I need to install plus license to keep the un-checked setting?
08-26-2018 05:29 PM
You don't need a Plus License to enable Profiling Service. The only time a Plus license is consumed is if you use an Authorization Policy that involves checking the profiled attributes of a client, and then the authZ policy matches.
I don't understand what's going on in your case. You need to share some screen shots. It's very simple. If a node is in Standalone then you cannot enable/disable any services - this is out of the box behaviour. Once you make the node Primary, then you can check and uncheck whatever boxes you like. If this is a single node then you obviously need to enable at least the Admin role. All the other stuff is optional. The standalone node will also automatically be a Monitoring node too, because you need at least one.
08-26-2018 05:43 PM
Hi Arne,
The issue is a simple. Please see following picture.
Because now the node is in standalone mode, I understand each service (administration/monitoring/policy service) must run on the box. But what I cannot understand is "Enable Profiling Service" is greyed out. Is it expected behavior as design?
Then, please also see next picture.
Once I configured redundancy, I can un-check "Enable Profiling Service" on all boxes.
i.e. ISE allows me to disable profiling service in redundancy mode(2 node or distributed) on system-wide, but it doesn't allow to disable the service in standalone mode.
Why can it be disabled only on redundancy mode? What makes the difference?
08-27-2018 01:22 AM
Making a node Primary doesn't imply redundancy mode. A primary node is the master database that is used to form an ISE deployment. but if there is only one ISE node, and it happens to be the Primary one, then you have one ISE node. There is no redundancy. I don't know why Cisco did it this way (i.e. why they don't allow a node in Standalone mode to toggle the different services).
I never send traffic to a node in standalone mode. In my opinion this mode is only there to configure the ADE-OS, install system certificates and generally prepare the node to be joined to the rest of the deployment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide