Cisco ISE migration from VM to SNS 3415 Appliance

Similar Messages

• Migrating from Windows to the ACS appliance

  I'm in the process of migrating ACS from Windows to an appliance. I did a recovery and I chose to restore the DBs and the system config. However, I'm getting emails from the appliance with the name of the old windows machine where ACS was running. I guess this a result of restoring the system config. Does anyone know how to configure the emails to be sent with the current appliance name? And it is not possible, how can I restore the appliance to factory defaults so I can do the recovery again only for the DBs? Many thanks,

  well ... the easy way out is to re-image the ACS appliance and then replicate between the Windows server and the appliance . This will replicate all your settings from the windows ACS to appliance except the external database configuration that you need to manually configure.
  Note : for replication both the ACS for windows and the appliance should be on the same version .

• Posture setup in Cisco ISE

  Dears
  I am trying to configure the posture for the ISE but the result is always " Posture status : pending " and the agent can access all network resources without any problem .
  please help

  Please review the below steps:
  Step 1 Choose Administration > System > Deployment >  Deployment.
  The Deployment navigation menu appears. Use the  Table view or the List view button to display the
  nodes in your deployment.
  Step 2 Click the Table view.
  Step 3 Click the quick picker (right arrow)  icon to view the nodes that are registered in your deployment.
  The Table view displays all the nodes that are  registered in a row format in the Deployment Nodes page.
  The Deployment Nodes page displays the Cisco ISE  nodes that you have registered along with their
  names, personas, roles, and the replication status  for the secondary nodes in your deployment.
  Step 4 Choose a Cisco ISE node from the  Deployment Nodes page.
  Note If you have more than one node that is  registered in a distributed deployment, all the nodes that
  you have registered appear in the Deployment Nodes  page, apart from the primary node. You
  have the option to configure each node as a Cisco  Cisco ISE node (Administration, Policy
  Service, and Monitoring personas) or an Inline  Posture node.
  Step 5 Click Edit.
  The Edit Node page appears. This page contains the  General settings tab that is used to configure the
  Cisco ISE deployment. This page also features the  Profiling Configuration tab, which is used to
  configure the probes on each node.
  Note If you have the Policy Service persona  disabled, or if enabled but the Enable Profiler services
  option is not selected, then the Cisco ISE  administrator user interface does not display the
  Profiling Configuration tab. If you have the Policy  Service persona disabled on any Cisco ISE
  node, Cisco ISE displays only the General settings  tab. It does not display the Profiling
  Configuration tab that prevents you from  configuring the probes on the node.
  Step 6 On the General settings tab, check  the Policy Service check box, if it is already active.
  If the Policy Service check box is unchecked, both  the session services and the Profiler service check
  boxes are disabled.
  Step 7 For the Policy Service persona to run  the Network Access, Posture, Guest, and Client Provisioning
  session services, check the Enable Session Services  check box, if it is not already active. To stop the
  session services, uncheck the Enable Session  Services check box.
  The posture service only runs on Cisco Cisco ISE  nodes that assume the Policy Service persona
  and does not run on Cisco Cisco ISE nodes that  assume the administration and monitoring
  personas in a distributed deployment.
  Step 8 Click Save to save the node  configuration.

• Is there a trial version of cisco ISE

  Is there a trial version of cisco ISE? I need to upgrade my knowledge from ACS to ISE and I am finding it difficult to find source material.
  Thanks
  Mark

  Q. Does the Identity Services Engine include an evaluation license?
  A. Yes. The Identity Services Engine includes a free 90-day evaluation license that can support up to 100 devices. The evaluation license supports Identity Services Engine Base and Advanced software packages.
  Q. Why isn’t there an evaluation license that includes the Plus software package?
  A. We want to make sure that prospective customers have an opportunity to explore all the ISE capabilities during an evaluation period. Moreover, with Plus being a subset of Advanced, there is no need to have a different evaluation license.
  Obtaining a Cisco ISE License from Cisco.com

• ISE 1.2 SNS-3415 NIC Bonding / Teaming

  Hello,
  I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
  The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
  In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless  interface
  My purpose is to connect it to my twins core switches and have a full high availability deployment.
  - I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
  Themis

  ISE 1.2 does not support NIC teaming.  Especially on appliances.  There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco sns-3415 configuration

  Hi Team
  we brought new Cisco sns-3415 ACS configuration somebody please help to configure this on first time. I am simply first time on this device so I look forward first level configuration guide. find below the configuration details.
  SNS-3415-K9
  Small Secure Network Server for ISE  NAC  & ACS Applications
  CON-SNT-SNS3415
  SMARTNET 8X5XNBD Small Secure Network
  CSACS-3415-K9
  ACS application & BASE license for SNS-3415-K9 appliance
  CSACS-5-BASE-LIC
  Cisco Secure ACS 5 Base License
  CSACS-ACCYKIT
  Accessory Kit for Access Control System SW on 3415-appliance
  SFS-250V-10A-ID
  SFS Power Cord - 250V 10A  India
  SNS-4GBSR-1X041RY
  4GB 1600 Mhz Memory Module
  SNS-600GB-HDD
  600 GB Hard Disk Drive
  SNS-650W-PSU
  650W power supply for C-series rack servers + cord (configur
  SNS-CPU-2609-E5
  2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz
  SNS-N2XX-ABPCI01
  Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI
  SNS-RAID-ROM5
  Embedded SW RAID 0/1/10 8 ports SAS/SATA
  SNS-UCS-TPM
  Trusted Platform Module for UCS servers
  Thanks
  Sreejesh S

  check Cisco how to guides for step by step configuration just follow the instruction and you can easily  configure the setup also when you first open the ISE there is an option for express setup (Auto config) but i would suggest for the guide (link given below)
  https://www.cisco.com/en/go/trustsec.
  **********Do rate Helpful posts************************

• ISE SNS-3415-K9 License Issue

   Hi All,
  We are planning to take ISE SNS-3415-K9 appliance for 2500 wireless end points.
  Can you please guide me how to take license?  Base lances are really required for wireless end points??
  Your early response will be highly appreciated.
  Regards,
  Satish.

  If you are purchasing Wireless license then Base license is not required, it would support the below services
  Device onboarding/provisioning
  AAA
  Guest provisioning
  Link encryption policies
  Device profiling and feed service
  Host posture
  Cisco Security Group Access
  Integrated vendor MDM support
  Refer : http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.html

• How To Migrate Cisco Clean Access to Cisco ISE

  We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance).  Does anyone have an idea on how to do this?
  I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA.  Backup the CCA and then restore/import the backup to the ISE.
  Any help will be greatly appreciated?
  Thanks.

  Hi Mate,
  Refer to below instructions for hosting licenses on ISRs:
  http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
  Rehosting a License
  Prerequisites:
  • Valid Cisco.com account (username/password)
  • Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
  • Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
  – license save credential flash0:CredentialFileName
  – more flash0:CredentialFileName
  • The source device has rehostable licenses.
  Rehosting a License with Cisco's Licensing Portal
  This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
  Summary Steps:
  1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
  2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
  3. The portal will display licenses that can be transferred from the source device.
  4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c  for any further help.ommands.
  5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
  6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
  7. Receive the license key via E-mail
  8. Install the license key on the destination device.
  You can also email [email protected]
  -Terry
  Please rate all helpful posts

• How old licenses migration during basic and advanced cisco ise?

  Hello,
  How old licenses migration during basic and advanced cisco ise?
  Regards,
  Alvaro

  Hi,
  What do you mean by migration? you are migrating to another hardware? or you are upgrading from basic to advanced license?
  here is the install/upgrade process:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_license.html#wp1059946
  If you are migrating from one device to another I think you need to use this link:
  https://tools.cisco.com/SWIFT/LicensingUI/Home
  HTH
  Amjad

• Meaning of this error (ISE 1.2 on SNS-3415): HARDWARE RNG INTEGRITY CHECK HAS FAILED!

  Hi. We recently purchased an ISE 1.2 appliance (SNS-3415 hardware). It installed fine, but I am unable to access the GUI. When I login to the box and run the following command on the CLI
  ISE-12-NS-SD-2/admin# show application status ise
  I see the following output:
  ISE Database listener is running, PID: 7737
  ISE Database is running, number of processes: 38
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 9090
  ISE M&T Session Database is running, PID: 8959
  ISE M&T Log Collector is running, PID: 9294
  ISE M&T Log Processor is running, PID: 9376
  % ERROR: ISE SERVICES HAVE BEEN DISABLED BECAUSE
  %        HARDWARE RNG INTEGRITY CHECK HAS FAILED!
  Can anyone help me? What can I do to ensure that the hardware RNG integrity check succeeds. Is it a license issue? Is it faulty hardware? Please advise. I would be very greatful.
  Thanks in advance.

  I worked with a TAC engineer on this and he said one other customer had this issue and the only recourse was reimaging the appliance with the ISE 1.2 ISO image.
  I did reboot, restarted services, reset to factory default and none of that worked. It is possible that the issue happened because during setup of the appliance I didn't have network connectivity and went ahead with the setup and configuration of the ISE application anyway. I later had network connectivity but by that time ISE manifested this fault.
  Reimaging and ensuring network connectivity during setup the next time around fixed the problem.

• Assigning IP addresses to VPN users from Cisco ISE

  Hi all,
  I would appreciate if anyone could share his experience in assigning ip addresses (not static ones, but from a pool) to VPN users. The Radius is Cisco ISE and I am trying to configure this in the Authorization Results Tab. VPN gateway is ASA 8.4.
  Thanks in advance,
  Lora

  Hi Lora,
  Try going through the following link, might be helpful.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html#wp1252535

• Cisco ISE NDES EAP and HTTP certificates from different CA

  Hi guys, hope this is something you can help with…
  2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
  AD integration with customerdomain.local
  Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
  Corporate authentication is using EAP-TLS which is working fine
  BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>
  I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.
  As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.
  This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.
  Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.
  Thanks
  Andy

  I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine.  I am wondering if this is a certificate tier length issue.  My working example has a RootCA->IssuingCA->Cert.  It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.
  Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?
  Thanks

• Migrating from Brocade 2800/ 3900 to Cisco MDS 9509

  What is the best procedure from migrating from Brocade 2800/3900/12000 to Cisco MDS 9509 especially connected to HP-UX and AIX server.
  Without any Downtime I should be able to migrate these servers.
  I thought about these options:
  1. Use vgexport and vgimport or exportvg and importvg (AIX) after connecting to Cisco MDS. But this requires complete downtime on the application.
  2. Take one path down or HBA down and switch the cable and vgextend the devices.
  Please let me know if somebody has procedure.
  I was successful in HP-UX server using the second options but I cant see all the LUNs. That might be array specific problem also.
  If anybody has detailed procedure on migrating this scenario. please let me know.
  We are using Persistent FCIDs on our MDS switches.
  Thanks in Advance

  After connecting 1 cable from server HBA to Cisco S/w, why you are not able to see all LUNs, did you cross-check that...I mean HBA Configuration (max 256 LUNs) or Disk Array library driver to be installed on host side.if that can be sorted out, you can mirror the volumes across the disk arrays.are you using HDS Arrays? I don't know but what is vgextend command you are mentioning...
  also did you take a reboot of server or is it online addition on new LUNs...
  Also any how if you are not able to see all LUNs that is going to be an issue later as well for migration...pls cross-check that...

• Cisco ISE - dot1x behavior after returning from sleep mode

  Hi,
  In ISE deployment, When machine return from sleep mode , it do re-authentication process.
  Is it possible to restore the same session?
  if not ,Is it possible to let the authentication to re-run but making NAC agent not run or run in background?

  similar discussions here
  https://supportforums.cisco.com/discussion/11686306/reauthentication-problem-endpoints-using-cisco-ise-11

• Installing cisco prime on vmware & migrating from wcs

  Hi,
  We have been tasked to install prime on a vmware box then migrate from wcs, i have never done this before & was wondering if anyone has any experience in doing this way, how easy is it & if you have any docs etc?
  Cheers
  Sean
  Sent from Cisco Technical Support Android App

  Hi,
  A  direct upgrade from a WCS release to Prime Infrastructure 1.2 is not  supported. You must first upgrade to an NCS 1.1 release, and then  upgrade to Prime Infrastructure 1.2.
  Please check the links below:
  Cisco Prime Infrastructure Configuration Guide, Release 1.2
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.2/configuration/guide/tasks.html#wp1215225
  Release Notes for Cisco Prime Infrastructure, Release 1.2
  http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/1.2/release/notes/cpi_rn.html#wp73605
  WCS to NCS or Prime Infrastructure?
  https://supportforums.cisco.com/thread/2176121