Cisco ISE Part 4: High availability
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, a short part post, part 4: High Availability
The admin and monitoring nodes are only available in Active/Standby
All configuration is done on the primary Admin node. All other nodes are managed by this node. In case of a failure, the secondary admin node has the be manually promoted to primary (ISE 1.X).
Policy nodes can be clustered. Switches can use the cluster IP as radius server. The cluster will act like a load balancer.
Switches (NADs) can sent syslog messages (UDP 20514) to the monitor nodes. All logging is sent / replicated to both HA monitoring nodes.
First, a nodes has to get registered with the admin node. Requirement for this is a useraccount on the new node and prepared the trust list. Changing the secondary administration role is only possible by deregistering.
Registering of a node is certificate based:
- Self signed
- CA signed
Make sure that all management certificates are valid for the (primary) admin node. It’s recommended to use (internal) CA signed certificates on all nodes.
First, promote the administration node to Primary.
Register nodes with this primary node.
Register the secondary administration nodes first!!!!
After replication, the node will restart. This takes a few minutes. Check the sync status when the node is online again.
In case the primary node is offline, promote the secondairy:
Click Administration – System and click “Promote to Primary”
Next week part 5 of this blog post series: Configuring wired network devices
Do the Nodes need to be on the same LAN?
If so, do they share a Virtual Address? or when Failover, have to point to a different IP address?
The admin nodes can be placed in different VLAN’s, even the monitoring and policy nodes can be in seperate VLAN’s.
The admin node is only available in active/standby. If the primary admin node fails, you have to manually promote the secondary admin node to primary and offcource, you need to use a different IP to access this backup-admin node.
For policy nodes, redundancy is created in the switch config. It’s possible to add multiple radius servers in the switch config. This creates high availability for the police nodes.
is possible using HA with Appliance 3415 and Virtual Instance?
I’m not 100% sure, but I can’t see any reason why it would not be possible.
Can two ise boxes one running with version 1.3 and other on 1.4 can run in cluster for HA mode….kindly share some reference docs if any to base the answer.
I took a look into the upgrade guide, it’s not possible to run different software version between nodes. See: http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/upgrade_guide/b_ise_upgrade_guide_14/b_ise_upgrade_guide_14_chapter_010.html
Thanks Rob! i was just planning to upgrade one of my ise box to 1.4 from 1.3 & test few features….now i vl remove it from the cluster so making it standalone before upgrading, still in the doc as well i don’t see in clear words that its not possible but everything revolves around secondary/backup with same version on all so seems make sense……another question that is pushing me to check again, ideally what is the process to restore the backup in case needed in emergency like production 1.3ver ise goes down and i have to bring up the business on new i.4 ise with all the config of earlier 1.3ver ise
If we lose the admin nodes (primary and secondary), PSN will still able to handle AAA requests or service will be stooped?