Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE HA Deployment prerequisite issue.

I encountered this HA node deployment issue.Actually , I finished this feature with the enviroment of CA and DNS.However,Can I finish ISE‘s HA deployment without CA and DNS.

When I adding the second ISE node to the first one,I fill the blank with the second ISE's server IP address,the system notification indicates that Unalbe to authenticate xxx.Please check server and CA certificate configuration and try agian.

After that notification, I deploy the CA and DNS server.Also I signed the certificate and install the root CA for both ISE nodes,DNS records also be done.After that,I fill the blank with second ISE's FQDN and administration account .It can be done successfully.

So if my enviroment doesn't have CA and DNS.Does that mean I can't finish ISE'S HA function?

Any help or suggestion will be appreciated!
 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Hello-DNS: Your ISE nodes

Hello-

DNS: Your ISE nodes must be resolvable via DNS before they can be registered in a "cluster." In fact, I think the DNS is also required before the install script would complete.

CA: On the other hand, a CA is not required. If you don't have a CA you can use the self-signed ISE certificates. You will need to import the self-signed certs to "Certificate Store" in ISE

Hope this answers your question(s)

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
Bronze

Hi,You can not do ISE HA

Hi,

You can not do ISE HA deployment without CA and DNS.

DNS :  When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.

CA :  During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:

-If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.

-If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.

-If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.

7 REPLIES
Cisco Employee

Hello-DNS: Your ISE nodes

Hello-

DNS: Your ISE nodes must be resolvable via DNS before they can be registered in a "cluster." In fact, I think the DNS is also required before the install script would complete.

CA: On the other hand, a CA is not required. If you don't have a CA you can use the self-signed ISE certificates. You will need to import the self-signed certs to "Certificate Store" in ISE

Hope this answers your question(s)

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
New Member

Hi Neno Spasov:You are

Hi Neno Spasov:

You are correct! So the CA enviroment is not must needed.However DNS record is a must be.

I want to rate your answer as the correct answer,but when I click the correct answer,the system indicate it's an invlaid answer,I'll try to find how to rate your answer as the correct answer.

Anyway Thansk!

Cisco Employee

Glad I was able to help!

Glad I was able to help! Thanks for the rating! :)

Thank you for rating helpful posts!
New Member

Hi Neno Spasov:After the

Hi Neno Spasov:

After the deployment can these two nodes work normaly withou DNS.

Can I finish this feature just through IP address,not in the method of FQDN.

Bronze

Hi,You can not do ISE HA

Hi,

You can not do ISE HA deployment without CA and DNS.

DNS :  When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.

CA :  During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:

-If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.

-If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.

-If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.

New Member

Hi abwhaid:Thanks!Your replay

Hi abwhaid:

Thanks!

Your replay is helpful to me!

I can do ISE's HA with DNS enviroment,without CA server.

 

New Member

Hi abwahid:After the

Hi abwahid:

After the deployment can these two nodes work normaly withou DNS.

Can I finish this feature just through IP address,not in the method of FQDN.

 

 


 

202
Views
0
Helpful
7
Replies
CreatePlease login to create content