Cisco ISE Part 4: High availability
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, a short part post, part 4: High Availability
The admin and monitoring nodes are only available in Active/Standby
All configuration is done on the primary Admin node. All other nodes are managed by this node. In caseĀ of a failure, the secondary admin node has the be manually promoted to primary (ISE 1.X).
Policy nodes can be clustered. Switches can use the cluster IP as radius server. The cluster will act like a load balancer.
Switches (NADs) can sent syslog messages (UDP 20514) to the monitor nodes. All logging is sent / replicated to both HA monitoring nodes.
First, a nodes has to get registered with the admin node. Requirement for this is a useraccount on the new node and prepared the trust list. Changing the secondary administration role is only possible by deregistering.
Registering of a node is certificate based:
- Self signed
- CA signed