IoT Security Integration Guide
  • IoT Security Integration Guide
  • IoT Security Documentation
  • All Documentation
>
Configure ISE Servers as an HA Pair
Focus
Download PDF
Focus
  1. Home
  2. IoT Security
  3. Network Access Control
  4. Integrate IoT Security with Cisco ISE
  5. Configure ISE Servers as an HA Pair
Download PDF
IoT Security

Configure ISE Servers as an HA Pair

Table of Contents

Configure ISE Servers as an HA Pair

Put Cisco ISE servers in an active/standby HA pair to provide redundancy.
Where Can I Use This?What Do I Need?
  • IoT Security (Managed by IoT Security)
  • IoT Security subscription for an advanced IoT Security product (Enterprise Plus, Industrial OT, or Medical)
One of the following Cortex XSOAR setups:
  • An IoT Security Third-party Integration Add-on license that includes a cohosted, limited-featured Cortex XSOAR instance
    AND
    A Cortex XSOAR Engine (on-premises integration)
  • A full-featured Cortex XSOAR server
IoT Security uses the term "active" and Cisco uses the term "primary" to refer to the node in an HA pair that is in active mode and processing data. IoT Security uses the term "standby" and Cisco uses the term "secondary" to refer to the node that is in passive mode waiting to take over if the active node fails.
The IoT Security terms "primary" and "secondary" refer to two ISE instances to which IoT Security sends device attributes. The primary instance, which can be a single ISE server or HA pair, is the one taking action on the data it receives. The secondary instance, which can also be a single ISE server or HA pair, receives the data but typically does not act upon it. In this case, the secondary instance provides redundancy in case the primary instance stops functioning. If that happens, an ISE administrator can manually activate the secondary instance and resume NAC operations.
Setting up an active/standby HA pair of ISE servers involves the following steps.
  1. Configure one ISE server and give it the role of Primary; that is, the active (or primary) node in an HA pair.
  2. Configure another ISE server and give it the role of Standalone. This will be the standby (or secondary) node in the HA pair.
  3. Create IP hosts on each server to resolve the FQDN of the other server to an IP address.
  4. On the secondary ISE server, export its self-signed certificate.
  5. On the primary ISE server, import the certificate as a .pem file.
  6. Still on the primary server, register the other ISE server as a secondary node.
    At this point, they start functioning as an HA pair. The primary node starts syncing its data with the secondary node, which remains in standby mode.
    For complete HA configuration instructions and details, see Configuring Administration Cisco ISE Nodes for High Availability.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.

xThanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.