ISE distributed deployment

Similar Questions

• ISE distributed deployment upgrade

  My client has an ISE deployment with 4 nodes: primary and secondary Admin/coach and 2 Policy Server. Admin nodes are virtual machines, the policy nodes are 3315 devices.

  The system was installed nearly three years with version 1.1.0... It seems that the system never had questions if never has been patched or upgraded. Why fix something that works well?

  Today, that there was a problem because expired certificates, so the review to get the system in place and running again, the issue of the update bring the conversation. We love to upgrade to the latest supported version. So I wonder for a few tips and ideas for dealing with the planning of the upgrade.

  I have some doubts:

  3315 device can support version 1.3 without problems?

  I know that the upgrade procedure is essentially the installation a .tar file, but I'm not clear how the process in a distributed deployment must be. I had run upgrades in stand-alone systems, but never in a distributed deployment. So I need to upgrade the main Admin only, and the other nodes would automatically improve?

  I need to upgrade from 1.1 to 1.2 first, then 1.2 to 1.3?

  I undertand version 1.1 is 32-bit, version 1.2 and 1.3 are 64-bit, so I guess that the process could take a long time (maybe a few hours), so a maintenance window would need 3 or 4 hours so that the whole system has become stable.

  Can you give me some tips and suggestions to avoid the major problems?

  Kind regards.

  Daniel Escalante.

  Hardware support and Personas for ISE 1.3 include 3315

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/Release_notes/ise1...

  You can proceed to ISE 1.3 1.2 or 1.2.1

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/upgrade_guide/b_is...

• ISE distributed deployment and license management

  Hello

  I have 2 x ISE-VM-K9 = licenses, and I want to deploy ISE mode Standalone with HA.

  IE, have 2 boxes Node1 and Node2 each hosting all three personas and closely located in 1 data center.

  so, I want to have a third box 3 node in a data center remotely (only for purpose of DR).

  What is the best way to design it.

  1. do you have nodes 1 and 3 in a host group and use as aaa primary and 2 secondary node

  2 have Node1 and 2 in a local host group, then the host of another entity 3

  I'm worried about the condition of licence of the 2nd option

  Any thoughts?

  concerning

  Sergeant

  Do you mean group of PSN node when you say "host group"?

  Licenses-wise, all the nodes in a deployment of share ISE licenses installed on the Pan

• That is the accounting Radius WLC in distributed deployment of ISE server, this is the PSN or MnT node

  Hello

  on the WLC configuration for Management Server accounts Radius in distributed deployment of ISE, what server is the radius, the Service account management policy one or several nodes or the nodes in control?

  As always, appreciate your reply.

  Mike

  Hi Mike,.

  The WLC must be configured to send authentication and accounting for the PSN. Monitoring nodes are (among other functions) where newspapers PSN are transmitted to the.

  see you soon,

  SEB.

• Postgrase vRA distributed deployment Configuration

  Hello

  We provide deployment distributed for vRA 6.2.2 and have question around the Postgres SQL Server implementation. Documentation talking about DB server between vRA device cluster. Does vRA mandatory distributed deployment requires vPostgres in cluster or can I separate a single instance of Postgres and post the two HRV to the same device.

  We do not want cluster DB server unless it is mandatory for the vRA.

  If only Postgres can meet the requirement, is there no specific configuration in DB let connect the two devices to HRV?

  Yes, you can use simple Postgres and works without any problem. And there is no specific requirement as such. He usually recommendation to have Postgres clustered for HA.

• Right way to restart the ISE PSN node in a distributed deployment

  Hi all

  Two of my ISE nodes (in a 1.2 8 node deployment) have expired admin CLI past (I know I'm stupid!)

  One is the secondary node MnT and one is a PSN node (1 of 4).

  I have some information on what I need to do to get a new password, but I have to unregister the nodes first or can I restart them.

  Will be my other three nodes PSN automatically re - authenticate users on PSN restart node or should I ask the downtime?

  Thanks for any help in advance

  Mark

  Right, shouldn't be a problem.  You certainly wouldn't want to remove it - you'd only if you need to reimage or something like that.

  Just as a tip, if you speak only use wireless cases, you could always disable this particular NHP since authentication Radius and Radius Accounting servers in the world (not over the WLAN).  If you make a change to the WLAN, it will "bounce" the WLAN.  But, if globally disable you "admin" that particular NHP, it will keep just the WLC as NHPS by up to that turn you it on again.

  Tim

• Change password for local administrator on Cisco ISE in distributed deployment

  Hi guys,.

  I managed four ISEs of Cisco in a distributed environment.

  First ISE is the Admin, second ISE is followed, the third and fourth are the PSN.

  We use local authentication. We want to change the password for the admin user name.

  -What does that by a lucky break the connection between the ISEs or will be the new password pushed to each of them?

  There is no possibility to change the passwords on the PSN as the administration tab is not available.

  I know that when I create a new user, he's pushed all ISEs.

  Thank you.

  Serge.

  Serge,

  Good question.  Once I read this question, I had to know, so I tried this in my lab.

  I changed the admin password and change successfully, I had to connect to ISE using the new password.  Then I noticed on my dashboard to my node communication school admin and my PSN was green.  YAY.  I went to the page of deployments and could access the configurations for the nodes.

  Trust, I logged the secondary node using the NEW PASSWORD.  So, Yes, not only communication does NOT break, the new password is pushed down to all nodes.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• ISE 1.3 Distributed environment

  Hi all

  in a network with two main campuses and 10 remote with total scheme 3000 offices, to implement Cisco Ise distributed 1.3, we want to buy 2 camera SNS-3415-K9 for synchronization of monitoring/management/policy and 10 VM for node of sevice of strategy, but we found in distributed environment, to a pair of nodes of posture inline, we buy another two device or VM for inline posture?

  Well, it has not been officially said by Cisco, but it's already been removed working on the SNS.3495, so I would say that this isn't something that we should design the new ISE solution with.

  No, the secondary PAN/MNT will handle the same as main Ssnp, you cannot split your PSN between nodes of PAN/MNT.

  "you're telling me that if a remote office fails, lose psn...?

  Don't know what you're asking?

• ISE 2.0 to 2.1 upgrade

  Hi Forum. I have 8 knots of ISE. This includes dedicated primary and secondary admin and monitoring nodes and rest are nodes PSN. I want to improve from 2.0 to 2.1. But I'm not sure how this be accomplished and who's in charge. Does anyone have experience upgrading from 2.0 to 2.1 with distributed deployment?

  Hello

  To upgrade your deployment, minimum downtime as possible, while offering a maximum resilience and ability to roll back, the upgrade order should be as follows:

  1 secondary management node (the main node of the Administration at this point remains to the previous version and can be used to restore, if the upgrade fails.

  2 primary followed by node

  3. Policy Service nodes

  At this point, check whether the upgrade was successful and also to run network tests to ensure that the new deployment works as expected. See check the process to upgrade for more information. If the upgrade was successful, continue to upgrade the following nodes:

  4 secondary control node

  5 primary Administration node

  Re-run verification tests and network upgrade after you upgrade the main node of the Administration.

  Please follow this reference guide:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-1/upgrade_guide/b_is...

  Concerning

  Gagan

  PS: rate if this can help!

• Restoration of ISE Cisco VM snapshot

  Hello

  We have a distributed deployment of ISE (1.3.0.876) in which a hotfix installation failed and made our inaccessible PAN. We have encouraged our secondary to be the new principal and to restore the snapshot on Pan 'old', my question is how exactly the snapshot restore affects the State of admin nodes? Our secondary being the current principal, it maintains its role even after that restores the old?

  Thank you

  Andrew

  Hello

  It will retain its old settings. You can once you have restored the instant reboot of the device. He will be picking up there is already an active main node and assume the role of Eve.

  Kind regards

  Jason

• ISE 1.4 - silent authentications

  Hello

  I have a distributed deployment of ISE 1.4 with all PSN residing behind F5 NLB nodes. A probe of health of RADIUS has been configured to query each PSN in the NETWORK load balancing pool to check its status. Problem is that it creates journal entries 1444 authentication an hour. The graph of the dashboard is now an empty block of sense of successful authentications.

  Is he in any case of this RADIUS tuning probes? As the syslog ' ~'.

  see you soon,

  SEB.

  I'm sure you can use the filter collection for this feature, go to Administration/logging / filters

  Here, you can add an entry and then select NAS IP and the address of the device of the probe, and then use the filter "passed."

• Access to ISE's dashboard

  Hello

  I'm under distributed deployment with mutiple Ssnp, MONs & Admin nodes are deployed. I was check crtical vlan access and criteria dead radius server and a scenrios of test cases for reboot/turn off devices since a while and trun on back and check the service. But after that devices came I lost dashboard access there is no GUI access even if I'm still able to access all devices through CLI.

  Could you please help me to identify the problem.

  following output for the referance.

  """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

  isea001 / admin # display application status ise

  ISE database listener is running, PID: 4947
  ISE database is running, process number: 29
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6173
  ISE M & T Session database is not running.
  ISE M & T Log Collector does not run.
  ISE M & T journal processor does not run.

  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

  isem001 / admin # display application status ise

  ISE database listener is running, PID: 4952
  ISE database is running, process number: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6131
  Database Session M & T ISE is running, PID: 4646
  ISE M & T Log Collector is running, PID: 6625
  ISE M & T journal processor does not run.

  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

  isep001 / admin # display application status ise

  ISE database listener is running, PID: 4955
  ISE database is running, process number: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6215
  ISE M & T Session database is not running.
  ISE M & T Log Collector does not run.
  ISE M & T journal processor does not run.

  """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

  isep002 / admin # display application status ise

  ISE database listener is running, PID: 4953
  ISE database is running, process number: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6171
  ISE M & T Session database is not running.
  ISE M & T Log Collector does not run.
  ISE M & T journal processor does not run.

  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

  Thank you for taking the time to come back and the solution to the problem of sharing! (+ 5 from me). If you happen to be the ID of the bug please share as well!

  In addition, if your problem is resolved, you must mark the thread as "answered" :)

• The ISE Solution design issues?

  Is it possible to configure ISE in the following way:

  3 locations: main campus, 1 Site (Recovery Site) & Site2

  4 devices ISE.

  Main campus: 2 devices:

  Unit 1: PAN (P) + dem (P) + PSN (Just for backup, will be configured as a second ray on all of n)

  Unit 2: PSN (will be configured as the first Radius Server on Campus n main)

  Site 1 (DR Site): 1 unit

  Unit 1: PAN (S) + PSN (the Radius Server first for local NADs, third Ray on all other n), MnT (S)

  Box 2: 1 site

  Unit 1: PSN (the Radius Server first for local DNA)

  Due to some constraints, I'm not able to test this configuration in the laboratory and by looking at the document, although not mentioned specifically theoretically it seems possible to implement this way ISE, comments of support or support is much appreciated.

  Thanks for the info Maury. Overall, your design is OK for the number of endpoints that you have decided to run. Ideally, in a distributed deployment, you would 2 x ISE servers for Admin/M & T personas and then 2 x ISE for the Services of personal politics. You can also make one of the nodes in the primary for the Admin, but backup for M & T and vice versa for a better distribution of the load. So in your situation, you might do:

  Site A:

  ISE Server #1 - Admin main and secondary M & T

  ISE Server #1 - primary PSN secondary PSN for Site B to Site A

  Site b:

  ISE Server #1 - Admin secondary and primary M & T

  ISE Server #1 - primary PSN for Site B and secondary PSN for Site has

  Yet once, you won't have that many points of concurrent endpoints so you'll be OK going with the design that you have described. However, if you want to follow the guide Cisco design and future-proof your architecture and then I would follow my suggestion :)

  I hope this helps!

  Thank you for evaluating useful messages!

• Upgrade to version 1.2 of ISE

  My company what ISE is installed in the virtual machine, we got a plan to upgrade the ISE 1.1.1.268 to 1.2 form. But I've read through all the documentation, it took VM Upgrade 32-bit to64.

  But I confused with the passage of the VM. If my current 32-bit virtual machine running for 1.1.1.268, am I still able to upgrade using the command "upgrade of the application" to direct do the upgrade "ise-upgradebundle - 1.1.x - to-1.2.0.899.i386.tar.gz. What portion of the VM? I would have to manually change the virtual machine from 32 bit to 64 bit or it is done automatically as the below message? Sorry that I don't have VM boy and not sure about this part.

   Generating Database statistics for optimization .... - Preparing database for 64 bit migration... % NOTICE: The appliance will reboot twice to upgrade software and ADE-OS to 64 bit. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete. Rebooting to do Identity Service Engine upgrade...

  Should I be concerned about the license and certificate after the upgrade?

  I'm not a VM guy either, but if you follow the news on the link, you should be fine. The tasks that you mentioned are tasks that occur automatically when you perform the upgrade procedure. Once this process is complete, you will need to change the settings for the virtual machine. So if you have a single ISE node you will need to:

  1. run the upgrade process

  2. power off the virtual machine

  3. set in VM Ware:

  -Type of OS (required)

  -RAM (optional) - the ISE's hardware installation guide check

  -CPU (optional) - check the ISE's hardware installation guide

  3. turn on the computer, virtual back and try it again

  If you have a distributed deployment, then you will need to follow the instructions for it

  The document/link also answers your question about certificates and license files:

  The upgrade process preserves permits and certificates. You don't have to reinstall or reimport them. Cisco ISE, version 1.2, supports files of license with identifier unique two nodes (IDUs). You can request a new license with the UDI of both primary and secondary Administration nodes. Check it out Setup Guide physical Cisco Identity Services engine for more details.

  Thank you for evaluating useful messages!

• ISE - certificate of CA-signed and subordinate

  Hello

  I have questions about the use of CA-signed certificate distributed deployment that I followed all steps in "trustsec how to guide" between nodes of ISE and CA-root but I don't understand how subordinates came on the scene, there are all the certificates that I should get or put between subordinates and nodes of the ISE? "

  I need to understand what is the purpose of the use of certificates here. If you are using certificates for purposes of deployment and what you need to know what all the certificates you need.

  The main crux of Admin must approve secondary node certificates before they can be added to main Admin node. If you are using signed certificates then just the root CA must be uploaded to the main Admin node. If self-signed certificates are used then each secondary school certificate needs to be downloaded on the Certification of root of trust authorities store on the main Admin node. The certificate of primary identity must also be added to the store of certificates of secondary education.

  If you'are using certificates for wireless deployment only and you want results to validate the server certificate that I would install the authority of root CA and subordinate on the ISE and also evaluation criteria.

  Your subordinate certification authority would be MySUBCA here in the chain.

  MyROOTCA-->--> MySUBCA-->--> MyIdentityCert hassignedasigned .

  Jatin kone

  -Does the rate of useful messages-