In this article we will take a look at eight things that should be considered before being able to join ISE nodes to the rest of a distributed deployment.
Joining ISE nodes to a distributed deployment requires a few prerequisites that must be met in order for registration to be successful. When the prerequisites are not met, you may find yourself stuck-in-a-rut troubleshooting in areas that you shouldn't be troubleshooting in.
In an attempt to relieve you from troubleshooting registration issues, this article will focus on lessons learnt.
Ensure that the DNS server has entries for in the A and PTR records for the nodes that you intend to register: When registering ISE nodes, the FQDN is required for the node you intend to register. If the FQDN of the intended node you wish to register cannot be resolved, you won't be able to join it to the deployment. You will also need to make sure that the FQDN's of all PAN's are resolvable. It is best practise to ensure that all ISE nodes are resolvable to avoid other issues.
Ensure that the node you wish to register is in deployment mode 'Standalone': Nodes not in a standalone mode will not be able to join the deployment.
The certificate of the node you wish to register must be trusted by the PAN: Communication while registering nodes occurs over mainly TCP 443 (HTTPS) so mutual trust between both devices is required.
Patch levels must be mutual: Before nodes can be registered to an existing deployment, any patch applied on the PAN must be also applied on the node that is joining the deployment. Trying to register any nodes without ensuring the relevant patches are applied will result in a failed attempt to join the node.
If using NTP, ensure that all clocks are synced: When clocks are different to one another or out of sync, you may find yourself run into issues joining the deployment. Always check that the clocks are correct.
Ensure that the node you are registering is reachable: Although this seems the most common-sense thing to do, you'd be surprised at just how many times nodes become unreachable because of network changes or issues with the node itself. Always check bidirectional connectivity using the traditional connectivity testing methods.
Check Firewall rules: When the nodes that you wish to register are behind a firewall, its important to ensure that rules exist to allow communication between the nodes. This is normally most often the case when deploying PSN's in within a DMZ for guest services but in essence, it's network dependent. Click on the following article https://www.networkwizkid.co.uk/post/cisco-ise-guest-mobility-anchor-firewall-considerations to see what firewall considerations should be taken into account. Aside from that, you may need to consider things such as allowing NTP communication and DNS.
Ensure that the username and password are correct: When registering nodes to a deployment, aside from the FQDN, a username and password are required. This username and password is the admin credentials of the node you intend to register. Ensure that the credentials are correct before attempting registration.
I hope that these considerations save you a lot of time when joining nodes to your ISE deployment.