Cisco ISE Distributed environment question

Similar Messages

• ISE distributed environment and snmp monitoring

  - I wonder wether there are any specific MIBS dealing or supporting node statuses in a distributed ISE
  environment , I would like to be able to query the replication status of a node , using a SNMP MIB variable,
  is thos possible ?
  M.

  Not sure because I didn't find any MIB for this purpose. I have also checked in ISE 1.2 and the result was same. you can also check on this link.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mib.html

• CIsco ISE - HP Openview monitoring.

  Hi guys,
  I have a doubt about monitoring Cisco ISE services in the network.
  We can send some alarms notifications to a multiple e-mails, but my doubt is if I can monitoring ISE services with a network monitoring software like HP Open View.
  I didn't find any documentation about it yet.
  Someone knows if I can do this?

  Hi Tarik, How are you?
  The doubt is.... my customer have ise in vmware and he need monitoring availability for cisco ISE. The question is: How can I do that? I did found any document informing if I can send snmp traps or something like that to a Monitoring Server.
  About "link down" and "link Up" he can monitoring the ESX Vmware appliance right?
   There are something that I can do with Cisco ISE. I need to pass a answer to my client if  the Cisco ISE can support this kind of configuration. 
  Thanks for your help.

• Need Step by step installation guide for Cisco ISE in distributed environment.

               Hi Friends,
  If anyone is having  step by step installation guide for Cisco ISE in distributed environment please shere!
  I have user guide from Cisco, but does someone have created at the time of actual installation.
  Thanks,
  Sachin

  There is a trustsec 2.1 how to guide on cisco's website. There is also a TrustSec 2.0 ISE Guide floating around that has step by step instructions for setting up ISE 1.0.4. Which is still pretty accurate for the 1.1.1 guide. But if you go through the below site it should give you all the info you need.
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• ISE Configuration in Distributed Environment

                    Hi All,
  I have quick questions about  ISE deployment in Distributed environment, as i have purchased 2 X Cisco ise 3395 - For Data Center and 3 X Cisco ISE 3355 for remote location with 3500 Base licences and 500 Advance licences.
  i have some questions on this deployment
  i will install 1 3395 in Primary Datacenter and other 3395 in Our secondary Data center as Primary admin+Primary Monitoring and Secondary Admin+Secondary Monitoring
  and each 3355 will get installed in Remote location as policy server, My Question is it this will be correct deployment?
  or while configuring 3395 do i need to configure Policy server as well in addition to Primary admin and monitoring?
  or please suggest me best deployment stratagy!
  Thanks,
  Sachin

  Thanks for the reply,
  all three sites are connected in MPLS with 100MB redundant band width
  we are have 2 data center one is primary and other is secondary. and all client locations are connected with 100 Meg links where i am planning to install 3355 which will act as authentication server.
  but now my question is
  3395 - Primary Admin+Primary Monitoring - Primary DC
  3395 - Secondary Admin+ Secondary Monitoring - Secondary DC
  3355- will say for one remote location(PSN)
  3355- Second remote Location(PSN)
  3355- third Remote location (PSN)
  thanks,
  Sachin

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Question about Databases on a distributed environment...

  Hi,
  I have quick question. We have production in a distributed environment as follows
  (a) SQL server, EPMA, and Calc Manager
  (b) Workspace, and Shared Services
  (c) Essbase
  (d) Planning
  Now we have multiple databases for each hyperion service i.e.
  (1) HSS (using for hyperion shared service)
  (2) BIPLUS (Using for workspace)
  (3) AAS (Using for Essbase Administrator Services)
  (4) CALCMGR (Using for calculation manager)
  (5) EPMA (Using for EPMA)
  (6) ERPI (Using for ERP Integrator)
  (7) PLANSYS (Using for Planning)
  Now, my question is ....is it necessary that we have that multiple database in a distributed environment or we can have one database for everything? What is main objective for creating databases for each application?
  Please share your best knowledge and give me positive and negative about multiple database and single database for hyperion...
  Thanks to all...
  Safi

  I am going to be lazy and copy an extract from the install doc
  For simplicity and ease of deployment, you can use one database repository for all products (with the exceptions noted below). When you configure multiple products at one time using EPM System Configurator, one database is configured for all selected products.
  Caution!
  To use a different database for each product, perform the “Configure Database” task separately for each product. In some cases you might want to configure separate databases for products. Consider performance, rollback procedures for a single application or product, and disaster recovery plans.
  The following products and product components require unique databases:
  Performance Management Architect interface data source
  Extended Analytics for Financial Management and Extended Analytics for Strategic Finance
  Planning – Each Planning application should have its own repository.
  Performance Scorecard
  FDM – Use an Oracle Database instance exclusively for FDM.
  Data Relationship Management.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Cisco ISE & NAC Agent in a Vmware View VDI Environment

  Hi,
  Anyone deployed Cisco ISE NAC agent on a vmware view virtual desktop environment (VDI)?

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Cisco ISE 1.2 MDM Integration Question

  I have a working Cisco ISE 1.2.1 install which I've performed the integration to our MobileIron server. The "integration test" reports that the integration is good, but whenever ISE verifies MDM compliance, registration, etc.. with MobileIron when a mobile device connects it always reports that all statuses are good even if they aren't.
  My test phone is out of compliance on Mobileiron because of an unapproved app, but when the phone connects ISE believes the MDM compliance status is good. I'm not sure if it isn't really checking with MDM or if the Mobileiron server is reporting erroneous results.
  I also saw in a video that the phone has to be registered with MobileIron through ISE. Is this correct? I don't plan to on-board devices with MobileIron through ISE, it will be done directly through MobieIron (not connected to the Wifi network).
  I only want ISE to check the compliance status of the device against MobileIron and quarantine if it isn't compliant or MDM registered.
  Any help would be appreciated

  Saurav and others,
  Unfortunately, on-boarding sets some attribute fields on the endpoints that will then allow them to participate in a policy. It is nice that we all have MDM integration working but we almost need another class of on-boarding for corporate devices that are already in the MDM of choice (where we prefer to manage them!) 
  There is a little documented feature in ISE. 
  It appears to me that;
  the on-boarding turns on the following states for the endpoint;
  BYODRegistration
  No   ( No becomes Yes)
  DeviceRegistrationStatus
  NotRegistered   (becomes Registered)
  ( The device is actually registered in MobileIron - this means did ISE register with MI. )
  No MI attributes will work without this magic. TAC engineers I have dealt with don't seem to understand this feature.
   This is definitely an enhancement that is needed.   

• Cisco ise 1.2 install certificates for ise cluster question

  hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes
  i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?
  Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?
  or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

  ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.
  The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html
  Cisco ISE checks for a matching subject name as follows:
  1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.
  2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
  3. If no match is found, the certificate is rejected.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE in Apple Mac Environment

  Hi,
  One of our clients need to implement BYOD in their network. They are using Mac servers and clients. The requirement is to authenticate (wireless) users against the Mac directory server, in order to provide access to resources. I am trying to figure out whether Cisco ISE can perform LDAP authentication with Mac server. As per this document, Mac server is not a supported external identity source/LDAP server. Currently they are providing access to users by adding MAC addresses to WLC manually, which is not practical now due to increase in number of end devices, and limitation in MAC addresses supported by WLC (2048).
  Is it possible to implement this? Has anyone came across similar scenario?
  Thanks,
  John

  The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other attributes that are associated with the user for use in authorization policies. You must configure the external identity source that contains your user information in Cisco ISE. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles.
  Both internal and external identity sources can be used as the authentication source for sponsor authentication and also for authentication of remote guest users.
  Table 5-1 lists the identity sources and the protocols that they support.
  Table 5-1 Protocol Versus Database Support 
   Protocol (Authentication Type)
   Internal Database
   Active Directory
   LDAP1
   RADIUS Token Server or RSA
   EAP-GTC2 , PAP3 (plain text password)
   Yes
   Yes
   Yes
   Yes
   MS-CHAP4 password hash: MSCHAPv1/v25  EAP-MSCHAPv26  LEAP7
   Yes
   Yes
   No
   No
   EAP-MD58  CHAP9
   Yes
   No
   No
   No
   EAP-TLS10  PEAP-TLS11  (certificate retrieval) Note For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required, but are optional and can be added for authorization policy conditions.
   No
   Yes
   Yes
   No
   1 LDAP = Lightweight Directory Access Protocol. 2 EAP-GTC = Extensible Authentication Protocol-Generic Token Card 3 PAP = Password Authentication Protocol 4 MS-CHAP = Microsoft Challenge Handshake Authentication Protocol 5 MS-CHAPv1/v2 = Microsoft Challenge Handshake Authentication Protocol Version 1/Version 2 6 EAP-MSCHAPv2 = Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol Version 2 7 LEAP = Lightweight Extensible Authentication Protocol 8 EAP-MD5 = Extensible Authentication Protocol-Message Digest 5 9 CHAP = Challenge-Handshake Authentication Protocol 10 EAP-TLS = Extensible Authentication Protocol-Transport Layer Security 11 PEAP-TLS = Protected Extensible Authentication Protocol-Transport Layer Security
  and for the WLC Check the Link : www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo

• Cisco ISE multiple EAP authentication methods question

  With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
  My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
  Thanks in advance.

  Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
  Sent from Cisco Technical Support iPad App

• Question about Cisco ISE

  Good morning. We want to separate the access privilege of staff and students by using the same SSID. Currently, we are using free radius linked with the Active Directory. If we want to purchase Cisco ISE, could you please tell us what kind of license shall we buy (Base, advanced 5-year, or wireless 5-year)?  We have more than 50,000 staff and students, and the maximum simultaneous user is around 9,000 now. We noticed that the wireless license is quite expensive and has to be renewed every 5 years (For 10,000 licenses, it costs almost $200,000)! In our short term plan, we do not need BYOD, is the base license enough for our situation?If it's possible, could you please briefly introduce how does ISE work for our requirement?
  Thank you, and have a nice day.
  Yours,
  Linchuan Yang
  Concordia University

  Hello Linchuan,
  Wireless
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wireless
  License prerequisite: None
  Term license: 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  PS: If i were you the BYOD thing should be a thing to consider in a near future

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!