Configure ISE Servers as an HA Pair
Table of Contents
Configure ISE Servers as an HA Pair
Put Cisco ISE servers in an active/standby HA pair to
provide redundancy.
IoT Security uses the term "active" and Cisco
uses the term "primary" to refer to the node in an HA pair that
is in active mode and processing data. IoT Security uses the term
"standby" and Cisco uses the term "secondary" to refer to the node
that is in passive mode waiting to take over if the active node
fails.
The IoT Security terms "primary" and "secondary" refer
to two ISE instances to which IoT Security sends device attributes.
The primary instance, which can be a single ISE server or HA pair,
is the one taking action on the data it receives. The secondary
instance, which can also be a single ISE server or HA pair, receives
the data but typically does not act upon it. In this case, the secondary
instance provides redundancy in case the primary instance stops
functioning. If that happens, an ISE administrator can manually
activate the secondary instance and resume NAC operations.
Setting
up an active/standby HA pair of ISE servers involves the following steps.
- Configure one ISE server and give it the role of Primary; that is, the active (or primary) node in an HA pair.Configure another ISE server and give it the role of Standalone. This will be the standby (or secondary) node in the HA pair.Create IP hosts on each server to resolve the FQDN of the other server to an IP address.On the secondary ISE server, export its self-signed certificate.On the primary ISE server, import the certificate as a .pem file.Still on the primary server, register the other ISE server as a secondary node.At this point, they start functioning as an HA pair. The primary node starts syncing its data with the secondary node, which remains in standby mode.For complete HA configuration instructions and details, see Configuring Administration Cisco ISE Nodes for High Availability
