Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1481
Views
0
Helpful
2
Replies

Change IP address for Administration nodes on ISE 1.2?

Go to solution
cnegrete
Level 1
Level 1

‎04-09-2014 10:21 AM - edited ‎03-10-2019 09:37 PM

Hi everyone.

I currently do not have the means to simulate this (it would involve creating several virtual machines to test and I don't have access to that memory and hard disk space to do it).

I currently have deployed a 6 node ISE setup, with 2 central nodes (Administration/Monitoring), and 4 PSN scattered over the country.

The customer needs to move the central nodes to their data center, and this will involve changing the ip addresses for the two nodes.

What would be the necessary steps to do this? I searched and couldn't find anything conclusive.

 

My idea is as follows:

1. Take the secondary node, and unregister it from the deployment.

2. Change secondary ip address (regenerate cert if necessary)

3. Change DNS record for secondary admin node

4. Move secondary to Data Center

5. Power on secondary admin node

6. Register secondary admin node

7. Promote secondary admin node to primary

8. Repeat the steps for the primary (now secondary) node.

 

Of course, in the meantime I have to change the IP addresses for the RADIUS servers on all the WLC's and Switches.

 

Will this work?  Are there any extra considerations I need?

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahmed.aborahal
Level 1
Level 1

‎04-09-2014 02:12 PM

Dear,

 

Your proposed plan seems logic, but you have to take care of the following: 

"If you registered a secondary Administration node (the new primary) after you registered secondary Cisco ISE Policy Service and Monitoring nodes, then you must restart the secondary Cisco ISE nodes that were registered before the secondary Administration node was registered."

Quoted from http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454.

 

So, After step 7, you will have to restart the 4 PSNs to communicate with the NEW Admin.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ahmed.aborahal
Level 1
Level 1

‎04-09-2014 02:12 PM

Dear,

 

Your proposed plan seems logic, but you have to take care of the following: 

"If you registered a secondary Administration node (the new primary) after you registered secondary Cisco ISE Policy Service and Monitoring nodes, then you must restart the secondary Cisco ISE nodes that were registered before the secondary Administration node was registered."

Quoted from http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454.

 

So, After step 7, you will have to restart the 4 PSNs to communicate with the NEW Admin.

0 Helpful

Go to solution
cnegrete
Level 1
Level 1
In response to ahmed.aborahal

‎04-09-2014 02:19 PM

Thanks. I'll keep that in mind!
0 Helpful
Customers Also Viewed These Support Documents