What is the best way to replace an existing Primary and Replica Authentication Managers with Cisco ISE as an agent. Add the new appliances as replicas and then promote one of the new appliances to Primary? Do I have to generate a new sdconf.rec file?

EricaChalfin (RSA)

6 days ago

@KevinYamada51369 (Customer) ,

A very high level overview would be:

Login to the Operations Console. First, check that replication is healthy (Home > Replication Status Report). Also back up the database (Maintenance > Backup > Backup Now). Take a snapshot of the VM well.
Since only one replica is allowed, delete the current replica from the deployment.
Following the steps in the Authentication Manager 8.9 Setup and Configuration Guide (or appropriate version for your deployment), generate a new replica package, stand up the new replica and attach it to the current primary.
Promote the new server to be the primary.
Delete the old primary from the deployment.
Go back to the Operations Console and confirm replication is still healthy.
Do an automatic rebalance to update the server contact list (Access > Authentication Agents > AM Contact List > Automatic Rebalance)
Generate and distribute a new sdconf.rec file to your agents/RADIUS clients (Access > Authentication Agents > Generate Configuration File).
If you do not already have the Cisco ISE listed in the Security Console as an authentication agent and/or RADIUS Client, you will want to add it. Use the RSA Ready Implementation Guide for Cisco ISE for details on configuring the device.

Expand Post

KevinYamada51369 (Customer)
5 days ago
@EricaChalfin (RSA) Thanks for the step by step high level, very useful. Didn't know only one replica was allowed.
What do you think about just taking the existing pair off-line and restoring the backup to the new appliances? Would I just have to generate a new sdconf.rec file for the agent after restoring, or do you think that method could introduce more issues?
Expand Post
- EricaChalfin (RSA)
  5 days ago
  @KevinYamada51369 (Customer) ,
  
  The 1 primary + 1 replica deployment scenario is if you have a base license. If you have an enterprise license, you are allowed 1 primary and up to 14 replicas so you have some additional wiggle room for adding new servers.
  
  Doing a full swap out is an option but be aware that if you do that, you'd need to create your new servers with the same version of Authentication Manager that you are running currently in order to restore the database. You can't back up Authentication Manager 8.8, for example and restore it to deployment running 8.9. If these new servers will have the same FQDN and IP addresses of your current servers, you'd not need to generate a new sdconf.rec.
  Expand Post
- KevinYamada51369 (Customer)
  5 days ago
  @EricaChalfin (RSA)
  It sounds like doing the restore to the new appliances is the simpler option in our case. I have already upgraded the current AM's to the same version as our new ones. I appreciate all the information!
  Expand Post

EricaChalfin (RSA)
6 days ago
@KevinYamada51369 (Customer) ,

A very high level overview would be:

Login to the Operations Console. First, check that replication is healthy (Home > Replication Status Report). Also back up the database (Maintenance > Backup > Backup Now). Take a snapshot of the VM well.
Since only one replica is allowed, delete the current replica from the deployment.
Following the steps in the Authentication Manager 8.9 Setup and Configuration Guide (or appropriate version for your deployment), generate a new replica package, stand up the new replica and attach it to the current primary.
Promote the new server to be the primary.
Delete the old primary from the deployment.
Go back to the Operations Console and confirm replication is still healthy.
Do an automatic rebalance to update the server contact list (Access > Authentication Agents > AM Contact List > Automatic Rebalance)
Generate and distribute a new sdconf.rec file to your agents/RADIUS clients (Access > Authentication Agents > Generate Configuration File).
If you do not already have the Cisco ISE listed in the Security Console as an authentication agent and/or RADIUS Client, you will want to add it. Use the RSA Ready Implementation Guide for Cisco ISE for details on configuring the device.

Expand Post
- KevinYamada51369 (Customer)
  5 days ago
  @EricaChalfin (RSA) Thanks for the step by step high level, very useful. Didn't know only one replica was allowed.
  What do you think about just taking the existing pair off-line and restoring the backup to the new appliances? Would I just have to generate a new sdconf.rec file for the agent after restoring, or do you think that method could introduce more issues?
  Expand Post
  - EricaChalfin (RSA)
    5 days ago
    @KevinYamada51369 (Customer) ,
    
    The 1 primary + 1 replica deployment scenario is if you have a base license. If you have an enterprise license, you are allowed 1 primary and up to 14 replicas so you have some additional wiggle room for adding new servers.
    
    Doing a full swap out is an option but be aware that if you do that, you'd need to create your new servers with the same version of Authentication Manager that you are running currently in order to restore the database. You can't back up Authentication Manager 8.8, for example and restore it to deployment running 8.9. If these new servers will have the same FQDN and IP addresses of your current servers, you'd not need to generate a new sdconf.rec.
    Expand Post
  - KevinYamada51369 (Customer)
    5 days ago
    @EricaChalfin (RSA)
    It sounds like doing the restore to the new appliances is the simpler option in our case. I have already upgraded the current AM's to the same version as our new ones. I appreciate all the information!
    Expand Post

Potential Impact from Salesforce Device Activation Change

Related Questions

Potential Impact from Salesforce Device Activation Change

Related Questions

Trending Articles