Home > Articles > Setting Up and Maintaining a Distributed ISE Deployment

Setting Up and Maintaining a Distributed ISE Deployment


  1. Configuring ISE Nodes in a Distributed Environment
  2. Understanding the HA Options Available
  3. Cisco IOS Load Balancing
  4. Maintaining ISE Deployments
  5. Summary

Chapter Description

In this sample chapter from Cisco ISE for BYOD and Secure Unified Access, 2nd Edition, explore the configuration steps required to deploy ISE in a distributed design. Content also covers the basics of using a load balancer.

This chapter covers the following topics:

  • Configuring ISE nodes in a distributed environment

  • Understanding the HA options available

  • Using load balancers

  • IOS load balancing

  • Maintaining ISE deployments

Chapter 5, “Making Sense of the ISE Deployment Design Options,” discussed the many options within ISE design. At this point, you should have an idea of which type of deployment will be the best fit for your environment, based on the number of concurrent endpoints and the number of Policy Service Nodes (PSN) that will be used in the deployment. This chapter focuses on the configuration steps required to deploy ISE in a distributed design. It also covers the basics of using a load balancer and includes a special bonus section on a very cool high-availability (HA) configuration that uses Anycast routing, and covers patching distributed ISE deployments.

Configuring ISE Nodes in a Distributed Environment

All ISE nodes are installed in a standalone mode by default. When in a standalone mode, the ISE node is configured to run all personas by default. That means that the standalone node runs Administration, Monitoring, and Policy Service personas. Also, all ISE standalone nodes are configured as their own root certificate authority (CA).

It is up to you, the ISE administrator, to promote the first node to be a primary administration node and then join the additional nodes to this new deployment. At the time of joining, you also determine which services will run on which nodes; in other words, you determine which persona the node will have.

You can join more than one ISE node together to create a multinode deployment, known commonly in the field as an ISE cube. It is important to understand that before any ISE nodes can be joined together, they must trust each other’s administrative certificate. Without that trust, you will receive a communication error stating that the “node was unreachable,” but the root cause is the lack of trust.

Similar to a scenario of trying to connect to a secure website that is not using a trusted certificate, you would see an SSL error in your web browser. This is just like that, only it is based on Transport Layer Security (TLS).

If you are still using the default self-signed certificates in ISE, you’ll be required to import the public certificate of each ISE node into each other ISE node’s Administration > System > Certificates > Trusted Certificates screen, because they are all self-signed (untrusted) certificates and each ISE node needs to trust the primary node, and the primary node needs to trust each of the other nodes.

Instead of dealing with all this public key import for these self-signed certificates, the best practice is to always use certificates issued from the same trusted source. In that case, only the root certificates need to be added to the Trusted Certificates list.

Make the Policy Administration Node a Primary Device

Because all ISE nodes are standalone by default, you must first promote the ISE node that will become the Primary Policy Administration Node (PAN) to be a primary device instead of a standalone.

From the ISE GUI, perform the following steps:

  • Step 1. Choose Administration > System > Deployment. Figure 18-1 shows an example of the Deployment screen.

Figure 18-1

Figure 18-1 Deployment Screen

  • Step 2. Select the ISE node (there should only be one at this point).

  • Step 3. Click the Make Primary button, as shown in Figure 18-2.

Figure 18-2

Figure 18-2 Make Primary Button

  • Step 4. At this point, the Monitoring and Policy Service check boxes on the left have become selectable. If the primary node will not also be providing any of these services, uncheck them now. (You can always return later and make changes.)

  • Step 5. Click Save.

After saving the changes, the ISE application restarts itself. This is a necessary process, as the sync services are started and the node prepares itself to handle all the responsibilities of the primary PAN persona. Once the application server has restarted, reconnect to the GUI, log in again, and proceed to the next section.

Example 18-1 show application status ise Command Output

atw-ise245/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID
Database Listener                      running          5851
Database Server                        running          75 PROCESSES
Application Server                     initializing
Profiler Database                      running          6975
ISE Indexing Engine                    running          1821
AD Connector                           running          10338
M&T Session Database                   running          1373
M&T Log Collector                      running          2313
M&T Log Processor                      running          2219
Certificate Authority Service          disabled
EST Service                            disabled
SXP Engine Service                     disabled
TC-NAC Docker Service                  disabled
TC-NAC MongoDB Container               disabled
TC-NAC RabbitMQ Container              disabled
TC-NAC Core Engine Container           disabled
VA Database                            disabled
VA Service                             disabled
pxGrid Infrastructure Service          disabled
pxGrid Publisher Subscriber Service    disabled
pxGrid Connection Manager              disabled
pxGrid Controller                      disabled
PassiveID Service                      disabled
DHCP Server (dhcpd)                    disabled
DNS Server (named)                     disabled

Register an ISE Node to the Deployment

Now that there is a primary PAN, you can implement a multinode deployment. From the GUI on the primary PAN, you will register and assign personas to all ISE nodes.

From the ISE GUI on the primary PAN, perform the following steps:

  • Step 1. Choose Administration > System > Deployment.

  • Step 2. Choose Register > Register an ISE Node, as shown in Figure 18-3.

Figure 18-3

Figure 18-3 Choosing to Register an ISE Node

  • Step 3. In the Host FQDN field, enter the IP address or DNS name of the first ISE node you will be joining to the deployment, as shown in Figure 18-4.

Figure 18-4

Figure 18-4 Specifying Hostname and Credentials

  • Step 4. In the User Name and Password fields, enter the administrator name (admin by default) and password.

  • Step 5. Click Next.

  • Step 6. On the Configure Node screen, shown in Figure 18-5, you can pick the main persona of the ISE node, including enabling of profiling services. You cannot, however, configure which probes to enable yet. Choose the persona for this node. Figure 18-5 shows adding a secondary Administration and Monitoring node, while Figure 18-6 shows adding a Policy Service Node.

Figure 18-5

Figure 18-5 Configure Node Screen Secondary Admin and MnT Addition

Figure 18-6

Figure 18-6 Configure Node Screen Policy Service Node Addition

  • Step 7. Click Submit. At this point, the Policy Administration Node syncs the entire database to the newly joined ISE node, as you can see in Figure 18-7.

Figure 18-7

Figure 18-7 Sync Initiated

  • Step 8. Repeat these steps for all the ISE nodes that should be joined to the same deployment.

Ensure the Persona of All Nodes Is Accurate

Now that all of your ISE nodes are joined to the deployment, you can ensure that the correct personas are assigned to the appropriate ISE nodes. Table 18-1 shows the ISE nodes in the sample deployment and the associated persona(s) that will be assigned. Figure 18-8 shows the final Deployment screen, after the synchronization has completed for all nodes (a check mark in the Node Status column indicates a node that is healthy and in sync).

Figure 18-8

Figure 18-8 Final Personas and Roles

Table 18-1 ISE Nodes and Personas

ISE Node Persona
atw-ise244 Administration, Monitoring
atw-ise245 Administration, Monitoring
atw-ise246 Policy Service
atw-ise247 Policy Service
2. Understanding the HA Options Available | Next Section

There are currently no related articles. Please check back later.