Solved: Policy service setting disappeared after deregistering node.

masyamad · ‎08-21-2018

Hi Team,

I'm testing ISE 2 node deployment and noticed policy service setting is changed during node deregister/re-register.

In normal status, only session service runs on both ISEs.

"Enable Profiling service" is un-checked with customer's requirement.

But after deregistration, the setting was change. "Enable Profiling Service" was moved to checked. And I couldn't uncheck the service due to greyed out.

Is it expected? Is there a way to un-check "Enable Profiling Service" during deregister/re-register operation?

Arne Bier · ‎08-21-2018

That's working as expected because the de-registered node is now Standalone. You would need to make it Primary and then you can select the personas

View solution in original post

Arne Bier · ‎08-21-2018

That's working as expected because the de-registered node is now Standalone. You would need to make it Primary and then you can select the personas

masyamad · ‎08-21-2018

Thanks for the comment. When the node in standalone, I can't disable personas. I think it's expected.
But now I'm considering to disable "Enable profiling service" (not a policy service). It's not a persona but one option of services of policy service. I think it shouldn't be greyed out...

howon · ‎08-24-2018

That may be the case if you don't have plus license.

masyamad · ‎08-25-2018

Hi howon,

Now the setting automatically enabled even though I un-checked "Enabling profiling service". So do you mean following is the expected behavior?

1) Without plus license, profiling service is always enabed.

2) If Plus license is installed, administrator can disable profiling service manually.

Why do I need to install plus license to keep the un-checked setting?

Arne Bier · ‎08-26-2018

You don't need a Plus License to enable Profiling Service. The only time a Plus license is consumed is if you use an Authorization Policy that involves checking the profiled attributes of a client, and then the authZ policy matches.

I don't understand what's going on in your case. You need to share some screen shots. It's very simple. If a node is in Standalone then you cannot enable/disable any services - this is out of the box behaviour. Once you make the node Primary, then you can check and uncheck whatever boxes you like. If this is a single node then you obviously need to enable at least the Admin role. All the other stuff is optional. The standalone node will also automatically be a Monitoring node too, because you need at least one.

masyamad · ‎08-26-2018

Hi Arne,

The issue is a simple. Please see following picture.

Because now the node is in standalone mode, I understand each service (administration/monitoring/policy service) must run on the box. But what I cannot understand is "Enable Profiling Service" is greyed out. Is it expected behavior as design?

Then, please also see next picture.

Once I configured redundancy, I can un-check "Enable Profiling Service" on all boxes.

i.e. ISE allows me to disable profiling service in redundancy mode(2 node or distributed) on system-wide, but it doesn't allow to disable the service in standalone mode.

Why can it be disabled only on redundancy mode? What makes the difference?

Arne Bier · ‎08-27-2018

Making a node Primary doesn't imply redundancy mode. A primary node is the master database that is used to form an ISE deployment. but if there is only one ISE node, and it happens to be the Primary one, then you have one ISE node. There is no redundancy. I don't know why Cisco did it this way (i.e. why they don't allow a node in Standalone mode to toggle the different services).

I never send traffic to a node in standalone mode. In my opinion this mode is only there to configure the ADE-OS, install system certificates and generally prepare the node to be joined to the rest of the deployment.