Home
Support
Product Support
Security
Cisco Identity Services Engine
Install and Upgrade Guides

Cisco Identity Services Engine Installation Guide, Release 3.5

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Expand all sections

About this content

Network Deployments in Cisco ISE

Cisco ISE network architecture
Cisco ISE deployment terminology
Node types and personas in distributed deployments
Cisco ISE deployment models
Small network deployments
Medium-sized network deployments
Large network deployments
Network device configuration for Cisco ISE

Cisco Secured Network Server Series Appliances and Virtual Machine Requirements

Cisco ISE hardware and virtual appliance requirements
VMware cloud solutions for Cisco ISE
Virtual machine size recommendations
Disk space requirements for VMs in a Cisco ISE deployment
Disk space guidelines for Cisco ISE
CPU requirements for hypervisors

Install Cisco ISE

Install Cisco ISE using Cisco Integrated Management Interface
Run the setup program of Cisco ISE
Verify the Cisco ISE installation process
Install Cisco ISE from an ISO on OpenStack
Install Cisco ISE on a Cisco SNS appliance using NFS
Localized ISE installation

Additional Installation Information

Tools used to create a bootable USB device from installation ISO file
SNS appliance maintenance
VMware virtual machine
Linux KVM
Microsoft Hyper-V
Create a Cisco ISE virtual machine on Hyper-V
Zero Touch Provisioning

Installation Verification and Post-Installation Tasks

Log in to the Cisco ISE web-based interface
Cisco ISE configuration verification
List of post-installation tasks

Common System Maintenance Tasks

Bond ethernet interfaces for high availability
Reset a lost, forgotten, or compromised password using a DVD
Reset a disabled password due to administrator lockout
Change the IP address of a Cisco ISE appliance
View installation and upgrade history
Perform a system erase

Cisco ISE Network Ports and Protocols Specifications

Ports used by all Cisco ISE personas
Cisco ISE infrastructure requirements
Operating system ports
Administration node ports
Monitoring node ports
Policy Service node ports
Cisco pxGrid service ports
OCSP and CRL service ports
Cisco ISE processes
Required internet URLs

Node types and personas in distributed deployments

Updated: May 6, 2026

Want to summarize with AI?

On this page

Overview

Administration nodes
Policy Service nodes
Monitoring nodes
pxGrid nodes

Overview

Introduces different node types and personas in a distributed deployment of Cisco ISE.

Each Cisco ISE node provides different services depending on its assigned persona. In a distributed deployment, you can have these combinations of nodes in your network:

Primary and secondary Administration nodes for high availability
A pair of Monitoring nodes for automatic failover
One or more Policy Service nodes for session failover
One or more pxGrid nodes for pxGrid services

Administration nodes

A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE. It handles all system-related configurations that are related to functionalities such as authentication, authorization, auditing, and so on.

In a distributed deployment, you can have a maximum of two nodes running the Administration persona. The Administration persona can take on of these roles—standalone, primary, or secondary.

Policy Service nodes

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates policies and makes decisions.

You can have more than one node assume this persona. Typically, distributed deployments have more than one Policy Service node.

You can group all Policy Service nodes that reside in the same high-speed local area network (LAN) or are behind a load balancer as a node group. If one node in a group fails, the other nodes detect the failure and reset URL-redirected sessions.

At least one node in your distributed setup should assume the Policy Service persona.

Monitoring nodes

A Cisco ISE node with the Monitoring persona

functions as the log collector and stores log messages from all the Administration and Policy Service nodes.
provides advanced monitoring and troubleshooting tools to effectively manage a network and resources.
aggregates and correlates the data that it collects and provides meaningful reports.

You can have a maximum of two nodes with this persona, and they can take on primary or secondary roles for high availability. In case the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary Monitoring node.

At least one node in your distributed setup should assume the Monitoring persona. We recommend that you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.

pxGrid nodes

You can use Cisco pxGrid to share context-sensitive information from Cisco ISE session directory with other network systems such as ISE ecosystem partner systems and other Cisco platforms. The pxGrid framework can also be used to exchange policy and configuration data between nodes, such as sharing tags and policy objects between Cisco ISE and third-party vendors, and for other information exchanges. Cisco pxGrid also allows third-party systems to invoke adaptive network control actions to quarantine users or devices in response to a network or security event.

TrustSec information, such as tag definition, value, and description, can be passed from Cisco ISE to other networks through the TrustSec topic. You can publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid.

Endpoint profiles with fully qualified names (FQNs) can be passed from Cisco ISE to other networks through an endpoint profile meta topic. Cisco pxGrid also supports bulk download of tags and endpoint profiles.

In a high-availability configuration, pxGrid servers replicate information between nodes through the PAN. When the PAN goes down, the pxGrid server stops handling client registration and subscription. You must manually promote the PAN to activate the pxGrid server.

Only the clients that are part of the groups included in the policy can subscribe to the service specified in that policy.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.