Cisco ISE Part 4: High availability

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, a short part post, part 4: High Availability

The admin and monitoring nodes are only available in Active/Standby

All configuration is done on the primary Admin node. All other nodes are managed by this node. In case  of a failure, the secondary admin node has the be manually promoted to primary (ISE 1.X).

Policy nodes can be clustered. Switches can use the cluster IP as radius server. The cluster will act like a load balancer.

Switches (NADs) can sent syslog messages (UDP 20514) to the monitor nodes. All logging is sent / replicated to both HA monitoring nodes.

First, a nodes has to get registered with the admin node. Requirement for this is a useraccount on the new node and prepared the trust list. Changing the secondary administration role is only possible by deregistering.

Registering of a node is certificate based:

  • Self signed
  • CA signed

Make sure that all management certificates are valid for the (primary) admin node. It’s recommended to use (internal) CA signed certificates on all nodes.

First, promote the administration node to Primary.

Register nodes with this primary node.

Register the secondary administration nodes first!!!!

After replication, the node will restart. This takes a few minutes. Check the sync status when the node is online again.

In case the primary node is offline, promote the secondairy:

Click Administration – System and click “Promote to Primary”

Next week part 5 of this blog post series: Configuring wired network devices