Manage ISE-PIC Nodes
Add or remove the secondary node, synchronize data between nodes, promote the secondary node to be the primary node, and more.
Cisco ISE-PIC Deployment Setup
After you install Cisco ISE-PIC on all your nodes, as described in the Cisco Identity Services Engine Hardware Installation Guide, the nodes come up in a standalone state. You must then define one node as your Primary Administration Node (PAN) and register the secondary node to the PAN.
All Cisco ISE-PIC system and functionality-related configurations should be done only on the PAN. The configuration changes that you perform on the PAN are replicated to the secondary node in your deployment. From the secondary node, the only action you can perform is to promote that secondary node to become the PAN.
After you have registered the secondary node to the PAN, while logging in to the Admin portal of that secondary node, you must use the login credentials of the PAN.
Data Replication from Primary to Secondary ISE-PIC Nodes
When you register an Cisco ISE node as a secondary node, Cisco ISE-PIC immediately creates a data replication channel from the primary to the secondary node and begins the process of replication. Replication is the process of sharing Cisco ISE-PIC configuration data from the primary to the secondary nodes. Replication ensures consistency among the configuration data present in the two Cisco ISE-PIC nodes that are part of your deployment.
A full replication typically occurs when you first register an ISE-PIC node as a secondary node. Incremental replication occurs after a full replication and ensures that any new changes such as additions, modifications, or deletions to the configuration data in the PAN are reflected in the secondary nodes. The process of replication ensures that the Cisco ISE-PIC nodes in a deployment are in sync. You can view the status of replication in the Node Status column from the deployment pages of the Cisco ISE-PIC admin portal. When you register a Cisco ISE-PIC node as a secondary node or perform a manual synchronization with the PAN, the node status shows an orange icon indicating that the requested action is in progress. Once it is complete, the node status turns green indicating that the secondary node is synchronized with the PAN.
Effects of Modifying Nodes in Cisco ISE-PIC
When you make any of the following changes to a node in a Cisco ISE-PIC, that node restarts, which causes a delay:
-
Register a node (Standalone to Secondary)
-
Deregister a node (Secondary to Standalone)
-
Change a primary node to Standalone (if no other nodes are registered with it; Primary to Standalone)
-
Promote an node (Secondary to Primary)
-
Restore a backup on the primary and a sync up operation is triggered to replicate data from primary to secondary nodes
Note |
When you promote the secondary Administration node to the primary PAN position, the primary node will assume a secondary role. This causes both the primary and secondary nodes to restart, causing a delay. |
Guidelines for Setting Up Two Nodes in a Deployment
Read the following statements carefully before you set up Cisco ISE-PIC with two nodes.
-
Choose the same Network Time Protocol (NTP) server for both the nodes. To avoid timezone issues among the nodes, you must provide the same NTP server name during the setup of each node. This setting ensures that the reports and logs from the various nodes in your deployment are always synchronized with timestamps.
-
Configure the Cisco ISE-PIC Admin password when you install Cisco ISE-PIC. The previous Cisco ISE-PIC Admin default login credentials (admin/cisco) are no longer valid. Use the username and password that was created during the initial setup or the current password if it was changed later.
-
Configure the Domain Name System (DNS) server. Enter the IP addresses and fully qualified domain names (FQDNs) of both the Cisco ISE-PIC nodes that are part of your deployment in the DNS server. Otherwise, node registration will fail.
- Configure the forward and reverse DNS lookup for both Cisco ISE-PIC nodes in your high-availability deployment from the DNS server. Otherwise, you may run into deployment related issues when registering and restarting Cisco ISE-PIC nodes. Performance might be degraded if reverse DNS lookup is not configured for both of the nodes.
-
(Optional) Deregister a secondary Cisco ISE-PIC node from the PAN to uninstall Cisco ISE-PIC from it.
-
Ensure that the PAN and the standalone node that you are about to register as a secondary node are running the same version of Cisco ISE-PIC.
View Nodes in a Deployment
In the Deployment Nodes window, you can view the ISE-PIC nodes, primary and secondary, that are a part of your deployment.
Procedure
Step 1 |
Log in to the primary Cisco ISE-PIC Admin portal. |
Step 2 |
Choose .All the Cisco ISE nodes that are part of your deployment are listed. |
Register a Secondary Cisco ISE-PIC Node
After you register the secondary node, the configuration of the secondary node is added to the database of the primary node and the application server on the secondary node is restarted. After the restart is complete, you can view all the configuration changes that you make from the Deployment page of the PAN. However, expect a delay of 5 minutes for your changes to take effect and appear on the Deployment page.
Procedure
Step 1 |
Log in to the PAN. |
Step 2 |
Choose . |
Step 3 |
From the Add Secondary Node section, enter the DNS-resolvable hostname of the secondary Cisco ISE node. If you are using the hostname while registering the Cisco ISE-PIC node, the fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, abc.xyz.com, must be DNS-resolvable from the PAN. Otherwise, node registration fails. You must have previously defined the IP address and the FQDN of the secondary node in the DNS server. |
Step 4 |
Enter a UI-based administrator credential for the standalone node in the Username and Password fields. |
Step 5 |
Click Save. Cisco ISE-PIC contacts the secondary node, obtains some basic information such as the hostname, default gateway, and so on, and displays it. |
When the secondary node is registered to the deployment, the node is restarted, which may take up to 5 minutes before the secondary node information is displayed from the Deployment page.
Once the secondary node is registered successfully, the Deployment page displays the details for that node in the Secondary Node section.
After a secondary node is registered successfully, you will receive an alarm on your PAN that confirms a successful node registration. If the secondary node fails to register with the PAN, the alarm is not generated. When a node is registered, the application server on that node is restarted. After successful registration and database synchronization, enter the credentials of the primary administrative node to log in to the user interface of the secondary node.
Note |
In addition to the existing Primary node in the deployment, when you successfully register a new node, no alarm corresponding to the newly registered node is displayed. The Configuration Changed alarms reflect information corresponding to the newly registered nodes. You can use this information to ascertain the successful registration of the new node. |
Synchronize Primary and Secondary Cisco ISE-PIC Nodes
You can make configuration changes to Cisco ISE-PIC only through the primary PAN. The configuration changes get replicated to all the secondary nodes. If, for some reason, this replication does not occur properly, you can manually synchronize the secondary PAN with the primary PAN.
Procedure
Step 1 |
Log in to the primary PAN. |
Step 2 |
Choose . |
Step 3 |
Check the check box next to the node that you want to synchronize with the primary PAN, and click Syncup to force a full database replication. |
Manually Promote Secondary PAN to Primary
If the Primary PAN fails you must manually promote the Secondary PAN to become the new Primary PAN.
Before you begin
Ensure that you have a second Cisco ISE-PIC node configured to promote as your Primary PAN.
Procedure
Step 1 |
Log in to the Secondary PAN GUI. |
Step 2 |
Choose . |
Step 3 |
lick Promote to Primary. If the node that was originally the Primary PAN, comes back up, it will be demoted automatically and become the Secondary PAN. You must perform a manual synchronization on this node (that was originally the Primary PAN) to bring it back into the deployment. |
Step 4 |
Click Save. |
Remove a Node from Deployment
To remove a node from a deployment, you must deregister it. The deregistered node becomes a standalone Cisco ISE-PIC node.
When a node is deregistered, the endpoint data is lost. If you want the node to retain the endpoint data after it becomes a standalone node, you can obtain a backup from the primary PAN and restore this data backup on it.
You can view these changes in the Deployment window of the primary PAN. However, expect a delay of five minutes for the changes to take effect and appear in the Deployment window.
Before you begin
To remove a node from a deployment, you must deregister it. When you deregister a secondary node from the PAN, the status of the deregistered node changes to standalone and the connection between the primary and the secondary node will be lost. Replication updates are no longer sent to the deregistered standalone node.
Before you remove a secondary node from a deployment, perform a backup of Cisco ISE-PIC configuration, which you can then restore later, if needed.
Procedure
Step 1 |
Choose . |
Step 2 |
Click Deregister, located next to the secondary node details. |
Step 3 |
Click OK. |
Step 4 |
Verify the receipt of an alarm on your primary PAN to confirm that the secondary node is deregistered successfully. If the secondary node fails to deregister from the primary PAN, it means the alarm is not generated. |
Change the Hostname or IP Address of a Cisco ISE-PIC Node
You can change the hostname, IP address, or domain name of standalone Cisco ISE-PIC nodes. However, you cannot use localhost as the hostname for a node.
Before you begin
If a Cisco ISE-PIC node is a part of a two-node deployment, you must first remove it from the deployment and ensure that it is a standalone node.
Procedure
Step 1 |
Change the hostname or IP address of the Cisco ISE-PIC node using the hostname , ip address , or ip domain-name command from the Cisco ISE CLI. |
||
Step 2 |
Reset the Cisco ISE-PIC application configuration using the application stop ise command from the Cisco ISE CLI to restart all the services. |
||
Step 3 |
Register the Cisco ISE-PIC node to the primary PAN if it is a part of a two-node deployment.
After you register the Cisco ISE-PIC node as a secondary node, the primary PAN replicates the change in the IP address, hostname, or domain name to the other Cisco ISE-PIC nodes in your deployment. |
Replace the Cisco ISE-PIC Appliance Hardware
You should replace the Cisco ISE-PIC appliance hardware only if there is an issue with the hardware. For any software issues, you can reimage the appliance and reinstall the Cisco ISE-PIC software.
Procedure
Step 1 |
Re-image or re-install the Cisco ISE-PIC software on the new nodes. |
Step 2 |
Obtain a license with the UDI for the Primary and Secondary PANs and install it on the Primary PAN. |
Step 3 |
Restore the backup on the replaced Primary PAN. |
Step 4 |
Register the new node as a secondary server with the Primary PAN. |