ISE nodes both become primary

Similar Questions

• ISE node failure & pre authorization ACL

  Hi all

  I would like to know who, in what should be the best practice for the following configuration.

  (1) access for devices/end users network if both nodes ISE become inaccessible? How we can ensure that full network access should be granted if the two ISE nodes become unavailable.

  (2) what is the best practice for setting up pre authorization ACL if IP phones are also in the network?

  Here is the configuration of the port and the pre authorization ACL which I use in my network,

  Interface Fa0/1

  switchport access vlan 30

  switchport mode access

  switchport voice vlan 40

  IP access-group ISE-ACL-DEFAULT in

  authentication event failure action allow vlan 30

  action of death event authentication server allow vlan 30

  living action of the server reset the authentication event

  multi-domain of host-mode authentication

  open authentication

  authentication order dot1x mab

  authentication priority dot1x mab

  Auto control of the port of authentication

  periodic authentication

  Server to authenticate again authentication timer

  protect the violation of authentication

  MAB

  dot1x EAP authenticator

  dot1x tx-period 5

  *****************************************

  IP access-list extended by DEFAULT ACL - ISE

  Note DHCP

  allow udp any eq bootpc any eq bootps

  Note DNS and domain controllers

  IP enable any host 172.22.35.11

  IP enable any host 172.22.35.12

  Notice Ping

  allow icmp a whole

  Note PXE / TFTP

  allow udp any any eq tftp

  Note all refuse

  deny ip any any newspaper

  Thank you best regards &,.

  Guelma

  Hello

  On question 1, since you use 'authentication mode host multi-domain' then "action dead event server authentication allows vlan X" is the way to go.

  But if you use "authentication host-mode multi-auth" then you should use "action death event authentication server reset vlan X"

  On question 2, it is not mandatory to use pre permission ACL. My current deployment have IP phones, since I use the profiling and CDP RADIUS then ISE can detect and allow the IP phones, even if the switch blocks all packets. "Why I didn't need pre-authorization ACL.

  Please rate if this can help.

• Posture inline ISE node register on a mistake of the head node

  When registering for a posture inline on my primary node node ise, I got this message"

  An error occurred during registration of node

  ISE - name - java.io.IOException:Server HTTP return

  Response code: 401 for URL:https://ise-name/deployment-rpc/persona".". Please, what is the cause of this problem and how can I solve it?

  Hello

  You have configured the certificates correctly? I'll start by checking here and also check that you are using the correct credentials (credentials of the inline ISE node GUI).

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Error - in Windows XP the external monitor laptop becomes primary, but Explorer windows do not go to the main window.

  Original title: xp laptop lidswitch and extended mode.

  I have xp laptop. I connect external monitor and set it to the extended mode with my laptop LFP as main and external monitor as secondary. Configuration of the power for the closure of the cover option as long as "do nothing".  Open an Explorer window and drag extended display. Then close the cover. The external monitor becomes primary, but the Explorer windows do not go to the main window. They are always extend on even though the extended mode is it more. Is this a known problem with XP? Anyone know? Thanks for your help...

  Hi jt_pan,

  Try to share the desktop on two monitors.

  For more information, refer to this link: How to configure and use multiple monitors in Windows XP?

  Hope the helps of information.
  Please post back and we do know.

• eve of single node created from primary CAR, what to do later?

  I just find the redo logs and standby redo logs are also duplicated primary to standby mode.
  In standby mode, it is autonomous, but newspapers redolog and stanedby are all two threads.
  
  SQL > select group #, thread #, bytes of the log v$.
  
  GROUP # THREAD # BYTES
  ---------- ---------- ----------
  5 1 52428800
  2 1 52428800
  1 1 52428800
  4 2 52428800
  6 2 52428800
  3 2 52428800
  
  6 selected lines.
  
  
  SQL > select group #, thread #, bytes from v$ standby_log;
  
  GROUP # THREAD # BYTES
  ---------- ---------- ----------
  7 1 52428800
  8 1 52428800
  9 1 52428800
  10 1 52428800
  11 2 52428800
  12 2 52428800
  13 2 52428800
  14 2 52428800
  
  8 selected lines.
  
  
  This made me think I happen to give up the thread #2 groups? or it's ok just leave it there?
  
  All the other things I need to check?
  
  thread parameter is:
  
  entire thread 0
  
  Thanks in advance.

  9233598 wrote:
  I just find the redo logs and standby redo logs are also duplicated primary to standby mode.
  In standby mode, it is autonomous, but newspapers redolog and stanedby are all two threads.

  This is the expected behavior.

  >

  SQL > select group #, thread #, bytes of the log v$.

  GROUP # THREAD # BYTES
  ---------- ---------- ----------
  5 1 52428800
  2 1 52428800
  1 1 52428800
  4 2 52428800
  6 2 52428800
  3 2 52428800

  6 selected lines.

  SQL > select group #, thread #, bytes from v$ standby_log;

  GROUP # THREAD # BYTES
  ---------- ---------- ----------
  7 1 52428800
  8 1 52428800
  9 1 52428800
  10 1 52428800
  11 2 52428800
  12 2 52428800
  13 2 52428800
  14 2 52428800

  8 selected lines.
  This made me think I happen to give up the thread #2 groups? or it's ok just leave it there?
  All the other things I need to check?
  thread parameter is:
  entire thread 0

  No need to drop, you can leave it as what. If his day before RAC then recovery will be made in each instance of each thread.

• Not possible to use the Nvidia GPU both graphics primary source all the time?

  I went through the manual and the tips of help from Lenovo and it seems that it is not possible to use the NVIDIA GeForce 840 M, 2 GB as the exclusive GPU card.

  The only control that I can find is one in the Panel of 3D graphics and if I read this correctly it assigns that Nvidia will be used when require it strong application processes (I'm guessing games play?) but for activities such as photo editing, it is up to the intel sur-bard chip

  brian1208 wrote:

  I went through the manual and the tips of help from Lenovo and it seems that it is not possible to use the NVIDIA GeForce 840 M, 2 GB as the exclusive GPU card.

  The only control that I can find is one in the Panel of 3D graphics and if I read this correctly it assigns that Nvidia will be used when require it strong application processes (I'm guessing games play?) but for activities such as photo editing, it is up to the intel sur-bard chip

  To force an application to use your NVIDIA graphics card, right click on its shortcut (or an .exe file), point on run with graphics processor and select the NVIDIA processor high performance.

• procedure to join unit ISE become node posture inline

  Hi all

  I ask, because I had 2 units of ISE-3315 device, we need to be the primary node of monitoring service admin-policy, another unit then become node posture Inline.

  For the preparation on the node line posture, what should you do about it?

  My question is:

  01 for the unit ready to become inline posture, so I simply start, install the OS of sractch (using version 1.1.1), then start the configuration to initialize etc, as the Normal Installer?

  02. until I regieter, which is the deplotment nodes should I choose to posture inline node unit?

  condition that the admin-service-management policy will become the primary node and node of posture inline registration will be the next action.

  Thank you

  Noel

  Noel,.

  The scope of my comment was based on the deployment of the ISE, the VPN nodes and Ipep use RADIUS. The connection to the IPEP and vice versa ISE node admin will have adequate certs in place because they use ssl to authenticate and encrypt their data.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Best practices for the restart of the nodes of the ISE?

  Hello community,

  I administer an ISE installation with two nodes (I'm not a specialist of the ISE, my job is simply to manage the user/mac-addresses... but now I have to move my ISE a VMWare Cluster nodes to another VMWare Cluster.

  (Both VMWare environments are connected to our network of the company, but are different environments. vMotion is not possible)

  I want to stop ISE02, move it to our new VMWare environment and start it again.

  That I could do this with our ISE01 node...

  Are there best practices to achieve this? (Stop request first, stopl replikation etc.) ?

  Can I really just reboot a node ISE - or I have consider something before I do this? After I did this?

  All tasks after reboot?

  Thanks for any answer!

  ISE01
  Administration, monitoring, Service policy
  PRI (A), DRY (M)

  ISE02
  Administration, monitoring, Service policy
  SEC (A), PRI (M)

  There is a lot to consider here.  If changing environments involves a change of IP address and IP extended, then your policies, profiles and DACL would also change among other things.  If this is the case, create a new VM ISE in the new environment in evaluation license using the and recreate the old environment deployment by using the address of the new environment scheme.  Then a new secondary node set rotation and enter it on the primary.  Once this is done, you can re - host license from your old environment on your new environment.  You can use this tool to re - host:

  https://Tools.Cisco.com/swift/LicensingUI/loadDemoLicensee?formid=3999

  If IP addressing is to stay the same, it becomes simpler.

  First and always, perform an operational backup and configuration.

  If the downtime is not a problem, or if you have a window of maintenance of an hour or so: just to close the two nodes.  Transfer to the new environment and light them, head node first, of course.

  If the downtime is a problem, stop the secondary node and transfer it to the new environment.  Start the secondary node and when he comes back, stop the main node.  Once that stopped services on the head node, promote the secondary node to the primary node.

  Transfer of the FORMER primary node to the new environment and turn it on.  She should play the role of secondary node.  If it is not the case, assign this role through the GUI.

  Remember, the proper way to shut down a node of ISE is:

  request stop ise

  Halt

  By using these commands, the risk of database corruption decreases by 90% (remember to always backup).

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• Change of IP address for Administration ISE 1.2 nodes?

  Hello world.

  Currently, I don't have the means to simulate this (it would be to create multiple virtual machines to test and I do not have access to this space memory and hard drive to do).

  I have currently deployed an ISE 6 knots, with 2 Central nodes configuration (Administration and monitoring), and 4 NHPS scattered around the country.

  The customer needs to move the hubs of their data center, and it will be to change the IPS for both nodes.

  What are the steps to do this? I've searched and couldn't find anything conclusive.

  My idea is this:

  1. take the secondary node and cancel the registration of the deployment.

  2 change the secondary ip address (cert regenerate if necessary)

  3. change the DNS record for the node admin secondary

  4. secondary displacement in the data center

  5. turn on the node admin secondary

  6 register admin secondary node

  7. to promote the admin school primary node

  8. repeat the steps for the primary (now secondary) node.

  Of course, in the meantime I have to change the IP addresses for servers RADIUS on all WLC and switches.

  Will this work?  Are there additional aspects that I need?

  Thanks in advance.

  Dear Sir

  Your proposed plan seems logical, but you must take care of the following:

  "If you have saved a secondary node of the Administration (the main new) after registering secondary nodes of Cisco political ISE of Service and monitoring, you must restart the secondary Cisco ISE nodes that were saved before the secondary management node was registered."

  City of ... http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_use.

  Thus, after step 7, you need to restart the Ssnp 4 to communicate with the administrator AGAIN.

• ISE 1.1 error displaying the home page when looking on the secondary node

  Hello

  I made an ISE installation with a primary and a secondary node - basically, it works very well.

  My problem is when looking on the secondary node e I get a certificate error which pointing to this page looking for the browser gets information from the primary node that makes the browser do not to display info. On the primary, it works fine.

  First I used self-sign certificates, subsequently I installed certificates frm the local certification authority - the problem remained the same.

  I tried with IE, Firefox and Chrome.

  When you change the primary/secondary role, the problem always moved to the real secondary node.

  Anyone an idea what to do here?

  Andreas

  If you use self CERT signed, you must connect to the node seconeary, once you trust cert, you'll be able to see everything on the head node.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• WLST - do not run the command nmConnect() / Manager node becomes unreachabl

  Hello guys,.
  
  I am facing a few questions to set up certain configurations of an application I deployed on weblogic 10.3.3.0.
  
  One of the steps required to configure this application is open the WLST offline, run 2 commands:
  
  */BEA/mytrack/wlserver_10.3/common/bin/WLST.sh*
  
  Then I try to connect in the nodemanager:
  
  * wls: / offline > nmConnect ('admin30800', 'weblogic_password', port = '30801', domainName = 'track30800') *.
  
  Returns the following error:
  
  Connection to the node Manager...
  < July 13, 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA 'CN is thawte Primary Root CA - G3, OR = (c) 2008 thawte\, Inc. - authorized only use, OR = Division Certification Service, O = thawte\, Inc., C = US ". Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  < 13 July 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA ' CN = T-TeleSec GlobalRoot class 3, OU = T - Systems Trust Center, O = T - Systems Enterprise Services GmbH, C = OF. Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  < 13 July 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA ' CN = T-TeleSec GlobalRoot class 2, OR = T - Systems Trust Center, O = T - Systems Enterprise Services GmbH, C = OF. Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  < 13 July 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA 'CN = GlobalSign, O = GlobalSign, OU = GlobalSign Root CA - R3. Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  "" < 13 July 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA "OU = safety Communication RootCA2, O = SECOM Trust Systems CO.\,LTD.,C=JP. Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  < 13 July 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA ' CN = VeriSign universal Root Certification Authority, OR = (c) 2008 VeriSign\, Inc. - For authorized use only, OU = VeriSign Trust Network, O = VeriSign\, Inc., C = US ". Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  < 13 July 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA 'CN = AC KEYNECTIS ROOT, OU = ROOT, O is KEYNECTIS, C = EN ". Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  < July 13, 2011 2:23:45 PM CDT > < opinion > < security > < BEA-090898 > < without taking account of the approved CA 'CN = GeoTrust Primary Certification Authority - G3, OR = (c) 2008 GeoTrust Inc. - only for authorized usage, O = GeoTrust Inc., C = US'. Loading certificate trust list triggered a certificate of analysis exception PKIX: OID not supported in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. >
  Traceback (innermost last):
  Folder "system <>", line 1, in?
  File '< iostream >", line 123, in nmConnect
  File '< iostream >", line 646, in raiseWLSTException
  WLSTException: An error occurred when executing nmConnect: unable to connect to the Node Manager. : Access denied to the field 'track30800' for the user 'admin30800'
  
  
  I did some research and found this thread here: http://kr.forums.oracle.com/forums/thread.jspa?threadID=788163
  that solves the initial problem, but after I did the nmConnect and an storeUserConfig() order exit() the WLST, I restart the management node successfully, the node Manager becomes inaccessible.
  
  I used the console SMA WL and access-> appdomain-> environment-> machinery-> surveillance-> State of the node Manager to check the inaccessible State.
  
  
  
  Thanks in advance,
  
  Davinod

  Hi Davinod,

  This issue seems to occur due to the name of user and password credentials Manager node in the console using some unwanted username and password incorrect.

  Please, try the following to resolve this problem:
  1. change username and password console NodeManager NodeManager and put them as well as the credentials of username/password of domain name.
  2. restart the whole field, Nodemanager process after the change.

  Here is the procedure to change the user and password name Nodemanager console:
  1. connect to the WebLogic console--> click on Domain--> go to the Security tab and advanced options.
  2. change the identification information in the console for NodeManager username and password NodeManager, activate the changes.

  Thank you
  Cree

• Right way to restart the ISE PSN node in a distributed deployment

  Hi all

  Two of my ISE nodes (in a 1.2 8 node deployment) have expired admin CLI past (I know I'm stupid!)

  One is the secondary node MnT and one is a PSN node (1 of 4).

  I have some information on what I need to do to get a new password, but I have to unregister the nodes first or can I restart them.

  Will be my other three nodes PSN automatically re - authenticate users on PSN restart node or should I ask the downtime?

  Thanks for any help in advance

  Mark

  Right, shouldn't be a problem.  You certainly wouldn't want to remove it - you'd only if you need to reimage or something like that.

  Just as a tip, if you speak only use wireless cases, you could always disable this particular NHP since authentication Radius and Radius Accounting servers in the world (not over the WLAN).  If you make a change to the WLAN, it will "bounce" the WLAN.  But, if globally disable you "admin" that particular NHP, it will keep just the WLC as NHPS by up to that turn you it on again.

  Tim

• ISE Inline node

  I have an Inline ISE node I added successfully to my ISE admin node.  After that I added the node inline, I was not able to configure it later.  When I went back to change the configuration, the node admin said that it is not able to communicate with the node inline.  Here's the exact error:

  Could not establish a connection to node Inline Posture. Please remember that certificates are correctly configured for mutual authentication between this node and the node of the Inline Posture.

  The certificates have not changed since originally, I added the node.  Also I am not able to open a SSL session to trust IP of the node inline.  I don't know if this is normal or not.

  It looks like the same question, I stumbled on, elementary school will allow you to join the node inline, but as soon as manage you it will complain on the certificate. Can you check the eku for cert and see if the authentication of the client and server is active?

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Upgrade to version 1.2 of ISE

  My company what ISE is installed in the virtual machine, we got a plan to upgrade the ISE 1.1.1.268 to 1.2 form. But I've read through all the documentation, it took VM Upgrade 32-bit to64.

  But I confused with the passage of the VM. If my current 32-bit virtual machine running for 1.1.1.268, am I still able to upgrade using the command "upgrade of the application" to direct do the upgrade "ise-upgradebundle - 1.1.x - to-1.2.0.899.i386.tar.gz. What portion of the VM? I would have to manually change the virtual machine from 32 bit to 64 bit or it is done automatically as the below message? Sorry that I don't have VM boy and not sure about this part.

   Generating Database statistics for optimization .... - Preparing database for 64 bit migration... % NOTICE: The appliance will reboot twice to upgrade software and ADE-OS to 64 bit. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete. Rebooting to do Identity Service Engine upgrade...

  Should I be concerned about the license and certificate after the upgrade?

  I'm not a VM guy either, but if you follow the news on the link, you should be fine. The tasks that you mentioned are tasks that occur automatically when you perform the upgrade procedure. Once this process is complete, you will need to change the settings for the virtual machine. So if you have a single ISE node you will need to:

  1. run the upgrade process

  2. power off the virtual machine

  3. set in VM Ware:

  -Type of OS (required)

  -RAM (optional) - the ISE's hardware installation guide check

  -CPU (optional) - check the ISE's hardware installation guide

  3. turn on the computer, virtual back and try it again

  If you have a distributed deployment, then you will need to follow the instructions for it

  The document/link also answers your question about certificates and license files:

  The upgrade process preserves permits and certificates. You don't have to reinstall or reimport them. Cisco ISE, version 1.2, supports files of license with identifier unique two nodes (IDUs). You can request a new license with the UDI of both primary and secondary Administration nodes. Check it out Setup Guide physical Cisco Identity Services engine for more details.

  Thank you for evaluating useful messages!

• ISE comments Portal failover for new applications

  I have a controller and resilience, not ability on both nodes of the ISE 1.2 (primary and secondary).  Each node of ISE has a management interface and an interface for the portal.  PSN is active on both nodes.  The WLC chooses the ISE node (with relief) for authentication.  Guest authentication, the user should be redirected to one of the two comments. What is the best method to choose and correctly redirect the user comments portal (including when it is down).  Is there a single other solution than a LoadBalancer for this scenario. Node groups are waiting for sessions and I need a solution for new sessions.

  Thank you.

  You don't need to do, once the WLC held a PSN down, new mab requests are sent to the next psn in your list of RADIUS on the wlc and other psn will respond with its own host name in the url redirect.