Set Up Cisco ISE in A Distributed Environment: Cisco Identity Services Engine Administrator Guide, Release 2.1
Set Up Cisco ISE in A Distributed Environment: Cisco Identity Services Engine Administrator Guide, Release 2.1
Set Up Cisco ISE in A Distributed Environment: Cisco Identity Services Engine Administrator Guide, Release 2.1
Administration Node
A Cisco ISE node with the Administration persona allows you to perform all administrative operations on
Cisco ISE. It handles all system-related configurations that are related to functionality such as authentication,
authorization, auditing, and so on. In a distributed environment, you can have a maximum of two nodes
running the administration persona. The administration persona can take on any one of the following roles:
Standalone, Primary, or Secondary.
Existing guest – CWA Yes (apart from flows enabled for device registration,
such as Hotspot, BYOD, and CWA with automatic
device registration)
Guest – AUP No
Posture Yes
MDM On-boarding No
pxGrid Service No
For certificate provisioning with the internal certificate authority, you have to import the root certificate of
the original Primary PAN and its key in to the new primary node, after promotion. Certificate provisioning
will not work post auto-failover from PSN nodes that are newly added, that is, added after the promotion of
the secondary node to Primary PAN.
If all the validations pass, the Secondary PAN promotes itself to the primary role.
The following are some sample (but not limited to) scenarios where automatic failover of the Secondary PAN
would be attempted.
• Health of Primary PAN is consistently not good for the 'Number of failure polls before failover' value
during the polling period.
• Cisco ISE services on the Primary PAN is manually stopped and remains so for the configured 'Number
of Failure Polls before Failover' value.
• Primary PAN is shut down using soft halt or reboot option and remains shut for the configured 'Number
of Failure Polls before Failover' value.
• Primary PAN goes down abruptly (power down) and remains down for the configured 'Number of
Failure Polls before Failover' value.
• Network interface of Primary PAN is down (network port shut or network service down) or it is not
reachable by the health check node for any other reason and remains so for the configured 'Number of
Failure Polls before Failover' value.
Restore of Backup Restore via the CLI and user interface will be blocked.
If PAN auto-failover configuration was enabled prior
to restore, you must reconfigure it after a successful
restore.
Change Node Persona Change of the following node personas via the user
interface will be blocked:
• Admin persona in both the Administration
nodes.
• Persona of the PAN.
• Deregistration of health check node after
enabling the PAN auto-failover feature.
Other CLI Operations The following admin operations via the CLI will be
blocked:
• Patch Installation and Roll back
• DNS Server change
• IP address change of eth1, eth2, and eth3
interfaces
• Host alias change of eth1, eth2, and eth3
interfaces
• Timezone change
CLI Operations The following admin operations via the CLI will
display a warning message if PAN auto-failover
configuration is enabled. These operations may trigger
auto-failover if service/system is not restarted within
failover window. Hence, while performing the below
operations it is recommended to disable PAN
auto-failover configuration:
• Manual ISE service stop
• Soft reload (reboot) using admin CLI
node group should be the same as, or a subset of, the RADIUS servers and clients configured on the NAD.
These nodes would also be configured as RADIUS servers.
While a single NAD can be configured with many ISE nodes as RADIUS servers and dynamic-authorization
clients, it is not necessary for all the nodes to be in the same node group.
The members of a node group should be connected to each other using high-speed LAN connection such as
Gigabit Ethernet. The node group members need not be L2 adjacent, but L2 adjacency is highly recommended
to ensure sufficient bandwidth and reachability. See Create a Policy Service Node Group, on page 20 section
for more details.
Monitoring Node
A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from
all the administration and Policy Service nodes in your network. This persona provides advanced monitoring
and troubleshooting tools that you can use to effectively manage your network and resources. A node with
this persona aggregates and correlates the data that it collects to provide you with meaningful information in
the form of reports.
Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary
roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In case
the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary
Monitoring node.
At least one node in your distributed setup should assume the Monitoring persona. We recommend that you
not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend
that the node be dedicated solely to monitoring for optimum performance.
You can access the Monitoring menu from the PAN in your deployment.
Note Monitoring is served from the primary (active) Monitoring node. Monitoring data is only served from the
secondary (standby) Monitoring node when the active node is down. The secondary monitoring node is
read-only.
Caution When the primary node comes back up after a failover, obtain a backup and restore the data to update the
primary node.
is in sync with the new secondary node as new changes are replicated. Once the active-standby pair is defined,
the following rules apply:
• All changes must be made on the primary Monitoring node. The secondary node is read-only.
• Changes made to the primary node are automatically replicated on the secondary node.
• Both the primary and secondary nodes are listed as log collectors to which all other nodes send logs.
• The Cisco ISE dashboard is the main entry point for monitoring and troubleshooting. Monitoring
information is displayed on the dashboard from the PAN . If the primary node goes down, the information
is served from the secondary node.
• Backing up and purging monitoring data is not part of a standard Cisco ISE node backup process. You
must configure repositories for backup and data purging on both the primary and secondary Monitoring
nodes, and use the same repositories for each.
pxGrid Node
You can use Cisco pxGrid to share the context-sensitive information from Cisco ISE session directory with
other network systems such as ISE Eco system partner systems and other Cisco platforms. The pxGrid
framework can also be used to exchange policy and configuration data between nodes like sharing tags and
policy objects between Cisco ISE and third party vendors, and for other information exchanges. pxGrid also
allows 3rd party systems to invoke adaptive network control actions (EPS) to quarantine users/devices in
response to a network or security event. The TrustSec information like tag definition, value, and description
can be passed from Cisco ISE via TrustSec topic to other networks. The endpoint profiles with Fully Qualified
Names (FQNs) can be passed from Cisco ISE to other networks through a endpoint profile meta topic. Cisco
pxGrid also supports bulk download of tags and endpoint profiles.
You can publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid. For more information
about SXP bindings, see Source Group Tag Exchange Protocol.
In a high-availability configuration, Cisco pxGrid servers replicate information between the nodes through
the PAN. When the PAN goes down, pxGrid server stops handling the client registration and subscription.
You need to manually promote the PAN for the pxGrid server to become active.
Note Users that are assigned to EPS user group can perform actions in Session group, because pxGrid Session
group is part of EPS group. If a user is assigned to EPS group, the user will be able to subscribe to Session
group on pxGrid client.
You can use the Test option on the pxGrid Settings page to run a health check on the pxGrid node. You can
view the details in the pxgrid/pxgrid-test.log file.
• Configure the Cisco ISE Admin password when you install Cisco ISE. The previous Cisco ISE Admin
default login credentials (admin/cisco) are no longer valid. Use the username and password that was
created during the initial setup or the current password if it was changed later.
• Configure the Domain Name System (DNS) server. Enter the IP addresses and fully qualified domain
names (FQDNs) of all the Cisco ISE nodes that are part of your distributed deployment in the DNS
server. Otherwise, node registration will fail.
• Configure the forward and reverse DNS lookup for all Cisco ISE nodes in your distributed deployment
in the DNS server. Otherwise, you may run into deployment related issues when registering and restarting
Cisco ISE nodes. Performance might be degraded if reverse DNS lookup is not configured for all the
nodes.
• (Optional) Deregister a secondary Cisco ISE node from the Primary PAN to uninstall Cisco ISE from
it.
• Back up the primary Monitoring node, and restore the data to the new secondary Monitoring node. This
ensures that the history of the primary Monitoring node is in sync with the new secondary node as new
changes are replicated.
• Ensure that the Primary PAN and the standalone node that you are about to register as a secondary node
are running the same version of Cisco ISE.
Policy Service Nodes Option to join, leave, and test Active Directory
connection. Each Policy Service node must be
separately joined to the Active Directory domain.
You must first define the domain information and
join the PAN to the Active Directory domain. Then,
join the other Policy Service nodes to the Active
Directory domain individually.
Step 2 Check the check box next to the current node, and click Edit.
Step 3 Click Make Primary to configure your Primary PAN.
Step 4 Enter data on the General Settings tab.
Step 5 Click Save to save the node configuration.
What to Do Next
1 Add secondary nodes to your deployment.
2 Enable the profiler service and configure the probes, if required.
After you register the secondary node to the primary node, if you change the HTTPS certificate on the secondary
node, you must import the appropriate CA certificates into the trusted certificate store of the primary node.
The certificates that you import into the trusted certificate store of the Primary PAN are replicated to the
secondary nodes.
If you plan to deploy two Administration nodes for high availability, register the Secondary PAN before you
register the other secondary nodes. If you register the nodes in this sequence, you do not have to restart the
secondary ISE nodes after you promote the Secondary PAN as your primary.
If you plan to deploy multiple Policy Service nodes running Session services with mutual failover among
these nodes, place the Policy Service nodes in a node group. You must create the node group before you
register the nodes.
Step 5 Enter a UI-based administrator credential for the secondary node in the Username and Password fields.
Step 6 Click Next.
Cisco ISE contacts the secondary node, obtains some basic information such as the hostname, default gateway, and so
on, and displays it.
If you have chosen to register a secondary node, you can edit the configuration of the secondary node.
After a secondary node is registered successfully, you will receive an alarm on your Primary PAN that confirms
a successful node registration. If the secondary node fails to register with the Primary PAN, the alarm is not
generated. When a node is registered, the application server on that node is restarted. After successful
registration and database synchronization, enter the credentials of the Primary PAN to log in to the user
interface of the secondary node.
Note In addition to the existing Primary node in the deployment, when you successfully register a new node,
no alarm corresponding to the newly registered node is displayed. The Configuration Changed alarms
reflect information corresponding to the newly registered nodes. You can use this information to ascertain
the successful registration of the new node.
What to Do Next
• For time-sensitive tasks such as guest user access and authorization, logging, and so on, ensure that the
system time on your nodes is synchronized.
• If you registered a Secondary PAN, and will be using the internal Cisco ISE CA service, you must back
up the Cisco ISE CA certificates and keys from the Primary PAN and restore them on the Secondary
PAN.
Note We recommend that you make all PSNs in the same local network part of the same node group. PSNs
need not be part of a load-balanced cluster to join the same node group. However, each local PSN in a
load-balanced cluster should typically be part of the same node group.
Before you can add PSNs as members to a node group, you must create the node group first. You can create,
edit, and delete Policy Service node groups from the Deployment pages of the Admin portal.
After you save the node group, it should appear in the navigation pane on the left. If you do not see the node
group in the left pane, it may be hidden. Click the Expand button on the navigation pane to view the hidden
objects.
What to Do Next
Add a node to a node group. Edit the node by choosing the node group from the Member of Node Group
drop-down list.
to integrate pxGrid with Cisco ISE is not FIPS compliant. If FIPS mode was not enabled in Cisco ISE
1.2, after upgrading to 1.4, pxGrid option will be enabled for the certificates.
What to Do Next
If the node that was originally the Primary PAN comes back up, it will be demoted automatically and become
the Secondary PAN. In the Edit Node page of a secondary node, you cannot modify the personas or services
because the options are disabled. You have to log in to the Admin portal to make changes.
Step 4 Select the health check node for Primary PAN from the Primary Health Check Node drop down list containing all the
available secondary nodes.
It is recommended to have this node in the same location or data center as the Primary PAN.
Step 5 Select the health check node for Secondary PAN, from the Secondary Health Check Node drop down list containing
all the available secondary nodes.
It is recommended to have this node in the same location or data center as the Secondary PAN.
Step 6 Provide the Polling Interval time after which the Administration node status will be checked . The valid range is from
30 to 300 seconds.
Step 7 Provide the count for Number of Failure Polls before Failover.
The failover will occur if the status of the Administration node is not good for the specified number of failure polls. The
valid range is from 2 to 60 counts.
What to Do Next
After the promotion of Secondary PAN to the Primary PAN, do the following:
• Manually sync the old Primary PAN to bring it back into the deployment.
• Manually sync any other secondary node that is out-of sync, to bring it back into the deployment.
Caution For scheduled backup and purge to work properly on the nodes of a Monitoring redundant
pair, configure the same repository, or repositories, on both the primary and secondary
nodes using the CLI. The repositories are not automatically synced between the two
nodes.
From the Cisco ISE dashboard, verify that the Monitoring nodes are ready. The System Summary dashlet
shows the Monitoring nodes with a green check mark to the left when their services are ready.
You can view these changes from the Deployment page of the Primary PAN. However, expect a delay of 5
minutes for the changes to take effect and appear on the Deployment page.
Step 1 Change the hostname or IP address of the Cisco ISE node using the hostname, ip address, or ip domain-name command
from the Cisco ISE CLI.
Step 2 Reset the Cisco ISE application configuration using the application stop ise command from the Cisco ISE CLI to restart
all the services.
Step 3 Register the Cisco ISE node to the Primary PAN if it is part of a distributed deployment.
Note If you are using the hostname while registering the Cisco ISE node, the fully qualified domain name (FQDN)
of the standalone node that you are going to register, for example, abc.xyz.com must be DNS-resolvable from
the Primary PAN. Otherwise, node registration fails. You must enter the IP addresses and FQDNs of the Cisco
ISE nodes that are part of your distributed deployment in the DNS server.
After you register the Cisco ISE node as a secondary node, the Primary PAN replicates the change in the IP address,
hostname, or domain name to the other Cisco ISE nodes in your deployment.
Step 1 Re-image or re-install the Cisco ISE software on the new nodes.
Step 2 Obtain a license with the UDI for the Primary and Secondary PANs and install it on the Primary PAN.
Step 3 Restore the backup on the replaced Primary PAN.
The restore script will try to sync the data on the Secondary PAN, but the Secondary PAN is now a standalone node and
the sync will fail. Data is set to the time the backup was taken on the Primary PAN.
Step 4 Register the new node as a secondary server with the Primary PAN.