How to add an additional Cisco Identity Services Node in an existing environment

Cisco provides an OVA file for the VMWare ESX server which can be deployed using ESX. OVA is configured with all the settings and preconfigured disk space.

Use the link to download Cisco ISE

Once you have deployed the OVA file, Power it on and go to the console, in order to configure it, you will need to type “SETUP” to start configuring the appliance.

Below is what you will need to do the initial setup.

  • IP address
  • Domain name
  • Time zone settings
  • DNS servers
  • NTP servers info
  • You can enable or disable SSH
  • Username and Password setup

Once these are entered, ISE will then reboot and start the installation process.

This can take up to 30 minutes complete. Once the ISE node is up it is installed as a stand-alone node and does not see any other nodes in the network, if this is the first node then you have the option to promote to primary and assign the roles you need.

There are two things that you will need to do.

  1. Export the certificate from the new Cisco ISE node to the Existing Cisco ISE primary node.
  2. Export the certificate from the primary node to the new standalone node

With the certificates, they now can trust each other.

Below are the steps  to join the new node as an HA node to the existing environment


Step 1 Log in to the primary PAN.
Step 2 Choose Administration > System > Deployment.
Step 3 Click Register to initiate registration of a secondary node.
Step 4 Enter the DNS-resolvable fully qualified domain name (FQDN) of the standalone node that you are going to register (in the format hostname.domain-name, for example, The FQDN of the primary PAN and the node being registered must be resolvable from each other.
Step 5 Enter the GUI-based administrator credentials for the secondary node in the Username and Password fields.
Step 6 Click Next.

The primary PAN tries to establish TLS communication (for the first time) with the node being registered.

  • If the node uses a certificate that is trusted, you can proceed to Step 7.
  • If the node uses a self-signed certificate that is not trusted, a certificate warning message is displayed is displays with details about the certificate (such as, Issued-to, Issued-by, Serial number, and so on), which can be verified against the actual certificate on the node. You can select the Import Certificate and Proceed option to trust this certificate and proceed with registration. Cisco ISE imports the default self-signed certificate of that node to the trusted certificate store of the primary PAN. If you do not want to use the default self-signed certificate, click Cancel Registration and manually import the relevant certificate chain of that node to the trusted certificate store of the primary PAN. When you import the secondary node’s certificate to the trusted certificate store, check the Trust for Authentication within ISE check box for the PAN to validate the secondary node’s certificate.
  • If the node uses a CA-signed certificate, an error message is displayed that the registration cannot proceed until certificate trust is set up.
Step 7 Select the personas and services to be enabled on the node, and then click Save.

The Primary Admin Node will start replicating the configuration to the new node. After the registered node is synchronized and restarted, you can log in to the secondary node GUI using the same credentials used on the primary PAN.


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button