Change deployment ISE...

Hello..

We have 2 x 3355 devices of ISE and we have already deployed in stand-alone mode (redundant deployment that support up to 2000 endpoints), after a while the client ask us to add an another PSN using the external with the VM of ISE version server, he said that 2000 end points is not enough for him and he wants to increase the number of endpoints by adding additional PSN.

As I understand it, it is with the current configuration (stand-alone), I can't add PSN extra unless I have re-dpoly mode while distributed (which will cause reconfigure both devices and disconnect all services of the ISE), is that correct? If so is there any guide line or how to migrate safely to independent distribution without waste of time...

THX

Once you convert to autonomous distributed, services of ISE MUST restart. There is no way around it. This usually takes no more than 15 minutes, depending on your environment. Once this is done, you can add PSN to deployment without a break in service. Just don't remove the political role of Service from the node Admin until your PSN is in place.

Tags: Cisco Security

Similar Questions

How to get the asset changed deployment event details
Hello

I created a deployment listener class to watch the changes to the file system of www, but the event does not provide any information about the assets that have been modified for the current deployment process.

the type of the affected element and repositories concerned return null values.

How to track the active details of file system of www changed using the deployment listener class.

Thank you
Jocelyne Meyer
You must export an rmi to the BCC service that returns the modified files.
Next to the agent, the auditor of deployment should call this rmi service and get the modified files.

Here is the snippet of rmiservice at the end of the BCC.
{getDeploymentData()}
RepositoryView view is getDeploymentRepository () .getView ("repositoryMarker");.
Qb = view.getQueryBuilder (generator) from query;
QueryExpression expression = qb.createPropertyQueryExpression ("deploymentId");
QueryExpression val = qb.createConstantQueryExpression (deploymentId);
Query query = qb.createComparisonQuery (expression, val, QueryBuilder.EQUALS);

RepositoryItem [] deploymentData = view.executeQuery (query);

for (int i = 0; i)
{
String repositoryPath = (String) ((RepositoryItem) deploymentData.getPropertyValue ("deploymentData")) .getPropertyValue ("source");
String itemDescName = (String) deploymentData [i] .getPropertyValue ("itemDescriptorName");
String itemId = (String) deploymentData [i] .getPropertyValue ("itemId");
Repository repository (Repository) = Nucleus.getGlobalNucleus () .resolveName (repositoryPath);
String uri = "atgrep: /" + repository.getRepositoryName () + "/" + itemDescName + "/" + itemId;

If (isLoggingDebug ())
{
logDebug ("uri =" + uri);
}

assetURIs.add (uri);
} / / end of course of the items in the repository deploymentData
} / / If deployment
}

Peace
Shaik

Change of ISE of the VLAN for wireless settings

Hello

I configured on ISE posture strategy for posture compliant and noncompliant to endpoints, such that endpoints compliant posture will fall in VLAN clean and not conform will fall in others.

Now, my question is, even if an end point is consistent, it is not in VLAN own posture. To get the ip address of VLAN, it requires enough ipconfig and ipconfig / renew to do manually.

How to solve the problem...

Kind regards

Aditya

If you assign a VLAN, the final step for the PC client to renew its IP address. This step is performed by the portal of reviews for Windows clients. If you have not defined a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you have assigned a VLAN, complete the following steps to enable the renewal of the IP:
1. Click Administration, and then click comments.
2. Click settings.
3. Expand comments, and then expand Configuration multi-portail.
4. Click DefaultGuestPortal or the name of a custom portal that you created.
5. Click the DHCP Release VLAN check box.

Cisco ISE change of domain name

Our deployment ISE has been setup with our internal domain of csi.corp, during the presentation of the CWA guest is the domain name it is presented to the

the prompt. We would like to make this on the public domain and a valid certificate. From what I have gathered that the https web portal certificate must contain the name of a field FULL of the ISE node, so I need to change the domain name on the server. I found messages that some have changed the domain name after deployment without negative results, is this possible? We are currently integrated with our AD Corp. and capable of using that EAP authentications. We have 2 knots in our deployment, is it possible to change the name of our public domain without a reconstruction?

Thank you

Joe

Wow, this is an old thread, but I'm glad that he still provides help others :)

wyfy-2015 - thanks for the compliment!

joeharb - thank you for taking the time to come back and post info on this (+ 5 from me as well).

Now, if this problem has been solved, we mark the thread as "answered" ;)

Thank you for evaluating useful messages!

Broken deployment of ISE

Hi all

I need to change the IP addresses in a deployment ISE 1.2 HA (a pair of primary and secondary school). The tricky part is that the deployment was broken before I could get my hands on the servers.

I can do the stand-alone primary server and change of address, but for the server secondary I apparently do not have this option.

So what is the appropriate procedure to reconfigure the IP address of a secondary server that is "broken"?

Thank you

Lennart

Since it is secondary, I wouldn't spend too much time frustrated over it. A new image can be just the cure you're looking for.

You can always make backups of the secondary image that is "broken"? This way, you always have a built-in security.

Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.

Charles Moreton

Deployment of ISE in the wireless infra WLC (single 1240AG Access Point)

Hi all

I am having access point 1240AG and plans to deploy ISE as external radius server. I would like to know how must set up in AP/ISE deifferent authorization policy. If I can use named ACL or VLAN (CoA) as an application types without use of WLC. If so, how?

Thanks in advance.

No it's not possible, because the ios code that access points operate in stand-alone mode do not support change authorization (CoA). They will authenticate the user, and when a coa event is fired to ISE, that's when this deployment is broken and gets it lost.

Thank you

Tarik Admani

Post edited by: Tarik Admani

Deployment of ISE in network routing and Vlan

Hello world

New bee to ISE. I want to help/suggestions on how to deploy ise in my network or comment if my plan is working

Machines to ISE, Servers (ALL) and Corporate (Dot1x and field) in vlan 10

Comments should be in the vlan separate 20

By default that all switch ports must be in the vlan 30 having nothing but only to DHCP.

Each endpoint must come through vlan30 and then pushed to vlan respective IE 10 if corp (Dot1x) PC and comments vlan 20 if mab and do not appear in the endpoints.

What is a successful deployment?

Secondly the fact inter - vlan routing is required in this scenario for the endpoints to be controlled properly.

ISE are able to communicate and of endpoints that are not in the VLAN of the police.

Hello

Deployment of the ISE requires a lot of consideration in many aspects. Suggest you read the cisco documentation carefully to become familiar.

http://www.Cisco.com/c/dam/en/us/TD/docs/solutions/enterprise/security/T...

Node ISE Cisco plays many roles; Admin, monitor & Service policy. The crux of the political service (PSN) is one who plays the role of RADIUS (RADIUS of tip to be precise) server to handle requests from the AAA.

For authentication dot1x internal hosts, you can have a PSN ISE in-house LAN (VLAN even as servers) or users. Whereas, for wireless clients, you can use a dedicated NHP or share the PSN according to safety requirements.

See you soon,.

Vidy

Please don't forget to rate this post so useful.

ISE distributed deployment and license management

Hello

I have 2 x ISE-VM-K9 = licenses, and I want to deploy ISE mode Standalone with HA.

IE, have 2 boxes Node1 and Node2 each hosting all three personas and closely located in 1 data center.

so, I want to have a third box 3 node in a data center remotely (only for purpose of DR).

What is the best way to design it.

1. do you have nodes 1 and 3 in a host group and use as aaa primary and 2 secondary node

2 have Node1 and 2 in a local host group, then the host of another entity 3

I'm worried about the condition of licence of the 2nd option

Any thoughts?

concerning

Sergeant

Do you mean group of PSN node when you say "host group"?

Licenses-wise, all the nodes in a deployment of share ISE licenses installed on the Pan

Cisco ISE 2.1 settings keep changing

Hello

Is there a way to ISE who made changes and what are the real changes? As an audit is changed to ISE itself. I don't know journal GANYMEDE.

Thank you!

Hello

You can enter in operations > report > Audit > audit of Configuration change.

Concerning

Gagan

PS: Mark as correct answer if it helps!

Domain name of ISE, certificates and portal comments

Hello world

We have a deployment ISE using our internal domain for its FULL domain name (example: ise01.private.local). Now, we want to use for authentication of access as a guest and have noticed that the default redirect URL uses the FULL of the ISE Server domain name.

It works very well for our business machines that we have our own generated certificates and internal certification authority. As we don't want a certificate, that the errors that occur for our clients, we need to use a public domain FULL name.

Are we better off by changing the domain name used by the servers of the ISE, or is it possible to change the redirect URL to use a custom domain?

I've heard suggestions that change the domain name is not supported, but I can't find another way.

Thank you
Mark

Mark,

You already have a public domain FULL name pointing to your ISE? If so, let's assume that you authenticate you if you use a CWA. First creat a new profile authorization, under common tasks, select redirect Web (CWA, DRW, MDM, DK, RPC), choose the authentication method (in this case, CWA) and set the ACL to use. Just below, select the name of the static host/IP and enter the COMPLETE public domain name that points to your ISE.

From there, you can create a permission policy to reference the profile that you just created.

Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.

Charles Moreton

ISE 1.4 reviews portal customization - prevent users from saving passwords in the browser

Hi all

Do central web authentication for a wireless network of comments I'm deployment ISE 1.4 for a customer. Guest access works very well, however the customer asked me to prevent users to save user names and passwords in the browser.

I don't see anywhere to prevent this thought the GUI of ISE, which leads me to think that we will need to change the HTML Portal.

Point 1.2 of the ISE, Cisco provide documentation and code to do so at the following ADDRESS:

http://www.Cisco.com/c/dam/en/us/TD/docs/security/ISE/how_to/HOWTO-42-cu...

These instructions do not work for ISE 1.4 as the guest access menus have changed. In particular, only advanced customization that appears to be available is to download a file EHT CSS customize it and downloading to the ISE.

From my limited HTML knowledge, customize the file CSS only allows me to change the appearance of the portal, not the functionality.

Did someone knows if it is possible to cut the custom HTML code and install it on ISE 1.4? Looking through the release notes, this has been replaced in point 1.3 of the ISE when they Redid the feedback portal menuss.

Thank you

James

ISE & WLC

Small question:

If I deploy ISE + WLC wlc is located in HREAP / Flexconnect mode, access lists doesn't not work, how am I supposed to remote locations, customers of posture?

[(cuz j'allais mettre une ACL pour bloquer tout mais dns/etc jusqu'à ce qu'ils obtenir àle pâturage)]

Can I change VLAN depending on user/device once they have hit the AP? I always talk about distant places?

Edon,

Here's a flex connects characteristic matrix, this support with ise 1.1 (since there is a section dedicated to him.). You will need to move to 7.2 to get the new features.

http://www.Cisco.com/en/us/products/ps10315/products_tech_note09186a0080b3690b.shtml

WAN upward (switching Center) WAN upward (local switching) WAN down (independent)

ISE 1.1 Yes Yes (7.2.110.0) NO.

Release notes for 7.2 (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314)

I hope this helps.

Tarik Admani
* Please note the useful messages *.

Authentication of the machine does not work after the night of workplace surveillance ovr - ISE - 1.1.1

I'm running an ISE 1.1.1 patch 2 and authetntication machine Windows XP using PEAP authentication with authentication computer and user.

The issue is that when a machine is powered on fine machine authentication processes and the user authentication is successful. The problem is that, after that the machine is connected to the left and left unattended for may hours I am bounced in a guest VLAN - ISE newspapers say that they can validate is no longer the machine has been authenticated via AD. If the user reboots the computer, he is well again.

Are there timers in AD or the machine that are hot flushes the status of RADIUS: WasMachineAuthenticated? Can someone tell me if there is a recommended configuration when the machine authentication is maintained throughout a work day or night?

Hello rcianci.

You experience this problem because of your authorization rule "WasMachineAuthenticated." This process (aka MAR - Machine access restrictions) occurs only when a computer is restarted or powered. Once the expiration of the timer to MAR the machine authentication fails until it is restarted again.

Here are two ways you can try to tackle this problem:

1. I used MAR in the past and:

a. set the timer for 168 hours (1 week)

b. educated users that they must restart their machines per week

It worked 'OK' but it's still irritating to the end users. It can also cause problems if you do that for cable and because the MAC address will change and ISE/ACS will not see the new authenticated as mac address, which requires the user to perform another reboot

2. a better way to be rid of MAR all together. If you want to keep things simple, you can just use PEAP machine based authentication using the credentials of the machine. It's not always ideal, but if your ad is correctly locked where only certain users can join computer to a domain then you should be good to go. However, if you want to continue to use the machine + user you will need to look at something a little more complex such as EAP-chaining.

I hope that this help... Let me know if you have any other questions

Thanks for the note!

ISE licensing

Hi guys, I'm confused about ISE licensing. We want most of the elements, including cable, wireless, VPN, guests, profiling, posture etc.

If a seller listed on base + licenses apex endpoint (anyconnect) and they say that we will cover.

Is this right since the licenses page suggests that we need much more than that?

Thank you!

Jacques

While you can technically run a deployment ISE with only Base and Apex (and AnyConnect Apex if you do not use Aboriginal applicants) licenses, you usually need more licenses too if you plan to use the services it provides (including profiling).

You also need the line items for the servers themselves - if device or VM.

some computers are not authenticated successfully with ISE and join comments vlan

Hello

We have deployed ISE in a company and set the workstations for authentication of the computer. When jobs are authentication, they are placed in the VLAN Data (5), if they fail, then they must be placed in the VLAN (50). WiredAutoConfig service as supplicant is set with gpo to all the workstations have the same settings.

Certificate of the ISE is signed by our internal CA and workstations have also imported CA in their trusted CA list.

The problem is that few jobs are placed in the VLAN. Previously on these workstations, we got a pop-up as below. When you click on 'connect' work stations have been placed properly in the data VLAN (5). We do not get this security alert more on these machines and they just join them VLAN that is don't want we want.

However, most of the workstations is authenticated successfully.

switchports configuration:

switchport access vlan 5
switchport mode access
switchport voice vlan 6
authentication event fail following action method
action of death event authentication server allow vlan 5
action of death event authentication server allow voice
no response from the authentication event action allow vlan 50
living action of the server reset the authentication event
multi-domain of host-mode authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
MLS qos trust dscp
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

Journal of ISE authentication;

auth1.PNG

authen2.PNG

Everyone is in a similar situation?

I guess that the machines in the domain have the root CA certificate checked under the 'Protected EAP Properties' window?

Change deployment ISE...

Similar Questions

auth1.PNG

authen2.PNG

Maybe you are looking for