Clarifications on ISE Hardware (SNS-3415)

Similar Messages

• Meaning of this error (ISE 1.2 on SNS-3415): HARDWARE RNG INTEGRITY CHECK HAS FAILED!

  Hi. We recently purchased an ISE 1.2 appliance (SNS-3415 hardware). It installed fine, but I am unable to access the GUI. When I login to the box and run the following command on the CLI
  ISE-12-NS-SD-2/admin# show application status ise
  I see the following output:
  ISE Database listener is running, PID: 7737
  ISE Database is running, number of processes: 38
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 9090
  ISE M&T Session Database is running, PID: 8959
  ISE M&T Log Collector is running, PID: 9294
  ISE M&T Log Processor is running, PID: 9376
  % ERROR: ISE SERVICES HAVE BEEN DISABLED BECAUSE
  %        HARDWARE RNG INTEGRITY CHECK HAS FAILED!
  Can anyone help me? What can I do to ensure that the hardware RNG integrity check succeeds. Is it a license issue? Is it faulty hardware? Please advise. I would be very greatful.
  Thanks in advance.

  I worked with a TAC engineer on this and he said one other customer had this issue and the only recourse was reimaging the appliance with the ISE 1.2 ISO image.
  I did reboot, restarted services, reset to factory default and none of that worked. It is possible that the issue happened because during setup of the appliance I didn't have network connectivity and went ahead with the setup and configuration of the ISE application anyway. I later had network connectivity but by that time ISE manifested this fault.
  Reimaging and ensuring network connectivity during setup the next time around fixed the problem.

• ISE 1.2 SNS-3415 NIC Bonding / Teaming

  Hello,
  I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
  The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
  In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless  interface
  My purpose is to connect it to my twins core switches and have a full high availability deployment.
  - I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
  Themis

  ISE 1.2 does not support NIC teaming.  Especially on appliances.  There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE migration from VM to SNS 3415 Appliance

  HI Experts,
  My customer is running a ISE VM  ( os is 1.1.1 ) with base license used only for guest authentication . As per the requirement we need to migrate the existing setup to the ISE hardware  (1.2 ). 
  Can anyone please help me in the best way to do .
  I am planning to install a new ISE setup rather than migration but confused regarding the ISE Licensing .
  Thanks in advance 
  Regards
  Agnus 

  Angus,
  First and foremost, you must have a current, non-expired license.
  The best way to accomplish this is to log in to the Licensing Portal:
  https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#
  Click on Licenses.  Choose the license you would like top transfer to the new 3415 Appliance.
  Note that I have selected two licenses, Base and Advanced.  You can only select ONE LICENSE at a time.  To Re-Host a Base and an Advanced License, you must do this twice.
  Then click Actions > Rehost/Transfer...
  A new window will appear requesting the information from your new 3415 Appliance (you must have already installed ISE on the appliance):
  You can find this information on the new 3415 by going to Administration > Licensing and clicking on the name of your node.
  This is all found in the ISE Admin Guide.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#concept_E664BCA9F4164C7F8DE590B7C2C4AD99
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE SNS-3415-K9 License Issue

   Hi All,
  We are planning to take ISE SNS-3415-K9 appliance for 2500 wireless end points.
  Can you please guide me how to take license?  Base lances are really required for wireless end points??
  Your early response will be highly appreciated.
  Regards,
  Satish.

  If you are purchasing Wireless license then Base license is not required, it would support the below services
  Device onboarding/provisioning
  AAA
  Guest provisioning
  Link encryption policies
  Device profiling and feed service
  Host posture
  Cisco Security Group Access
  Integrated vendor MDM support
  Refer : http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.html

• Spare parts for SNS-3415

  Hi guys,
  I saw the HW specs of the 3415.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/data_sheet_c78-726524.pdf
  There is a spare part for the disk and for the power supply. Does anyone has the experience if the ISE software will check for the HW. The SNS server has a hardware raid controller. I want to know if I can use the raid controller just for mirroring for HW redundancy.
  The SNS 3415 has two power slots. So i suspose this can be easily done without breaking the 'service' requiremtents for TAC.
  regards,
  Sander

  Hi Ravi,
  For the OS disk, I'm pretty sure we will run into problems. Like you said the UNIX distri will check for the HW bases on the system ID (3415 will have only 1 disk like the specs of Cisco). So sure I don't want to run into problems with my service agreement.
  But for the PSU it would be a nice to know if I can install this without any issues. Maybe you got the HW in the LABs?
  regards,
  Sander

• Cisco sns-3415 configuration

  Hi Team
  we brought new Cisco sns-3415 ACS configuration somebody please help to configure this on first time. I am simply first time on this device so I look forward first level configuration guide. find below the configuration details.
  SNS-3415-K9
  Small Secure Network Server for ISE  NAC  & ACS Applications
  CON-SNT-SNS3415
  SMARTNET 8X5XNBD Small Secure Network
  CSACS-3415-K9
  ACS application & BASE license for SNS-3415-K9 appliance
  CSACS-5-BASE-LIC
  Cisco Secure ACS 5 Base License
  CSACS-ACCYKIT
  Accessory Kit for Access Control System SW on 3415-appliance
  SFS-250V-10A-ID
  SFS Power Cord - 250V 10A  India
  SNS-4GBSR-1X041RY
  4GB 1600 Mhz Memory Module
  SNS-600GB-HDD
  600 GB Hard Disk Drive
  SNS-650W-PSU
  650W power supply for C-series rack servers + cord (configur
  SNS-CPU-2609-E5
  2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz
  SNS-N2XX-ABPCI01
  Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI
  SNS-RAID-ROM5
  Embedded SW RAID 0/1/10 8 ports SAS/SATA
  SNS-UCS-TPM
  Trusted Platform Module for UCS servers
  Thanks
  Sreejesh S

  check Cisco how to guides for step by step configuration just follow the instruction and you can easily  configure the setup also when you first open the ISE there is an option for express setup (Auto config) but i would suggest for the guide (link given below)
  https://www.cisco.com/en/go/trustsec.
  **********Do rate Helpful posts************************

• ISE Hardware Requirements

  Cisco's docs are not providing the information in regards to ISE hardware requirements.  I am looking at 3 different documents and see 3 different requirements.
  Does anyone have the tried an true numbers for the ISE deployment?  Specifically for the PSN?
  Also, i there a hardware restrictions on the servers that can be used in the event the customer decides to go with their own hardware rather than using VM?
  thanks for any assistance anyone can offer.
  Mike
  Received answer from Cisco...
  Posting in case anyone else needs this info
  Your Question:
  If I am using a distributed deployment, for example, running 1 node as admin and monitoring, another node for PSN, would I need 250gb disk space for each node?  Or would I use a shared 250gb disk space on a storage server?
  Answer:
  As you informed that you are " running 1 node as admin and monitoring, another node for PSN, would I need 250gb disk space for each node ", so YES each node will have individual 250Gb of space.
  Now the node running as admin and monitoring would have to share the 250Gb available on the ISE on which they would be implemented.
  Your Question:
  Additionally, say I were to scale and create 2 admin nodes, and 4 PSNs, how would the disk space work in that case?
  Answer:
  As the 2 Admin nodes would be on individual ISE hardware appliance, so individually they would have 250Gb of space and if the 4 PSN are also the same ISE hardware, then each PSN would have it's own 250Gb space.
  Your Question:
  If however, the admin node and PSN were on the same chassis, different VM (if supported) how would the disk space work then?
  Answer:
  If the VM used for the above scenario is only one and is configured according/equivalent to ISE hardware appliance, then the space mentioned (250Gb as example) would be shared between the two persona's.
  Message was edited by: Michael Mistretta

  Hello,
  The Below link's might help you out:-
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_vmware.html
  and
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/data_sheet_c78-656174.html

• Clarification on notebook hardware as HP is vague.

  No reply after 24 hours for a (now edited and repaced with this update) question either hp or owners should be clear on. Order is stuck without clearance in AK, a problem hp as repeatedly had. Poor forum experience (ignored entirely) as well as a stuck in customs laptop I bought that I have no definitive answer on what hardware is inside, I hope the Envy arrives soon so I can begin a RMA request and ship it back unopened. Just the feeling I will have questions posted for days without replies, numerous (off site even) searches on what the undocumented specs are for these machines, is a bit. Much to ask of a consumer. Hopefully I will be refunded and can try another dealer.

  Hi,
  To me also, its hardware issue rather than OS, the wireless receiver also keeps failing after the  system is on for 2/3 hours apprently form overheating. The process related solution is also very generic as for the configuration is should always be very fast for normal day to day use. Loos like the issue is with the ENVY DV6 series itself. I am having problem with my laptop since last one year.
  Hp couldn't able to fix the issue properly in several attemps and broke one corner of my laptop during last repair. They promised a new comparable replacement to me but not sure when it would arrive.
  Regards
  Subrata

• Secure Network Servers (SNS) in ISE version 1.1.4

  Hi board,
  I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
  In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
  For example ISE Q&A
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  What else is being released with ISE 1.2*?
  A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS)  security applications. The multiuse Cisco Secure Network Servers offer  many improvements over current ISE, ACS, and NAC appliances, and are the  platform recommended to deploy newer versions of these applications.  During ordering, customers can specify which security application they  would like to have installed. See the Product Details section for more  information.
  On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
  New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series  appliance. For details on the installing and configuring the Cisco SNS  3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the  following location:
  What is true now? What HW appliance do I chose, if I want to order today?
  I don't want to order the old appliances (33xx), because they are already EoL announced:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
  Thanks!

  Hi Johanne,
  Cisco ISE software is packaged with your appliance  or image for installation. Cisco ISE, Release 1.2 is shipped on the  following platforms. After installation, you can configure Cisco ISE  with specified component personas (Administration, Policy Service, and  Monitoring) or as an Inline Posture node on the platforms.
  Supported Hardware and Personas:
  Hardware Platform Persona Configuration
  Cisco SNS-3415-K9
  (small)
  Any
  •Cisco UCS 1 C220 M3
  •Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
  •16-GB RAM
  •1 x 600-GB disk
  •Embedded Software RAID 0
  •4 GE network interfaces
  Cisco SNS-3495-K92
  (large)
  Administration
  Policy Service
  Monitor
  •Cisco UCS C220 M3
  •Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
  •32-GB RAM
  •2 x 600-GB disk
  •RAID 0+1
  •4 GE network interfaces
  Cisco ISE-3315-K9 (small)
  Any
  •1x Xeon 2.66-GHz quad-core processor
  •4 GB RAM
  •2 x 250 GB SATA3 HDD4
  •4x 1 GB NIC5
  Cisco ISE-3355-K9 (medium)
  Any
  •1x Nehalem 2.0-GHz quad-core processor
  •4 GB RAM
  •2 x 300 GB 2.5 in. SATA HDD
  •RAID6 (disabled)
  •4x 1 GB NIC
  •Redundant AC power
  Cisco ISE-3395-K9 (large)
  Any
  •2x Nehalem 2.0-GHz quad-core processor
  •4 GB RAM
  •4 x 300 GB 2.5 in. SAS II HDD
  •RAID 1
  •4x 1 GB NIC
  •Redundant AC power
  Cisco ISE-VM-K9 (VMware)
  Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
  •For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
  •Hard Disks (minimum allocated memory):
  –Stand-alone—600 GB
  –Administration—200 GB
  –Policy Service and Monitoring—600 GB
  –Monitoring—500 GB
  –Policy Service—100 GB
  •NIC—1 GB NIC interface required (You can install up to 4 NICs.)
  •Supported VMware versions include:
  –ESX 4.x
  –ESXi 4.x and 5.x
  1 Cisco Unified Computing System (UCS)
  2 Inline  posture is a 32-bit system and is not capable of symmetric  multiprocessing (SMP). Therefore, it is not available on the SNS-3495  platform.
  3 SATA = Serial Advanced Technology Attachment
  4 HDD = hard disk drive
  5 NIC = network interface card
  6 RAID = Redundant Array of Independent Disks
  7 Memory  allocation of less than 4GB is not supported for any VMware appliance  configuration. In the event of a Cisco ISE behavior issue, all users  will be required to change allocated memory to at least 4GB prior to  opening a case with the Cisco Technical Assistance Center.
  Please check the following link for fruther information.
  https://supportforums.cisco.com/message/3986953#3986953

• ISE-3415 vs ISE-3315

  Hello,
  two years ago I wanted to buy ISE-3315 and when we prepared order we were told we have to order following components:
  - ISE-3315-K9
  - L-ISE-ADV3Y-100=
  Today ISE-3315 is EOS and the solution for small business is ISE-3415. The problem is we have to order following components:
  - SNS-3415-K9
  - SW-3415-ISE-K9 Cisco ISE Software version 1.2 for the SNS-3415-K9
  - L-ISE-ADV-S-100=
  The main problem is the new solution costs almost 50% more. Can someone confirm that it is correct? Or maybe I had wrong information two years ago with ISE-3315.
  BTW - I need the appliance for lab and study. Do we need to buy a full license in this case?
  Thank you
  Hubert

  Yes you can buy the appliance and then install the trial version.  just keep in mind that once the trial time has run out you must buy the license to continue to use the features that were available with the trial version.
  If using VMware, you can rollback to a snapshot prior to the installation of the ISE and reinstall the trial license and continue to use it for your studies.
  Of course, if you have a budget that will allow you to buy the appliance and a full license that is provided by the trial license, then go for it.  But if you want to save some money then the VMware is the way to go.
  Please remember to select a correct answer and rate helpful posts

• ISE Endpoint clarification

  Morning,
  just trying to find some clarification on ISE end points for licensing. Im looking at moving AAA authentication for switches onto ISE. The end point licensing at the moment is primarily for mac based devices on Wireless. Will adding switches onto ISE eat into these liscense?I know on ACS5.1 had a license for Configured IP Addresses in Network Devices
  Thanks
  S

  In Cisco ISE, licensing enables you to provide coverage for increasing numbers of endpoints and offer more complex policy services depending on the capabilities of the license or licenses that you choose to apply.
  Cisco ISE licenses are available in Base and Advanced packages. Each package includes a number of SKUs that is equal to the number of licenses included in the package. To use Cisco ISE, you must have a valid base and advanced license package.
  The base package includes all of the base services required to enable 802.1X, Guest, and Monitoring and Troubleshooting. The advanced package includes Posture, Profiler, and Security Group Access services.
  Cisco ISE is bundled with a licensing mechanism that has the following important features:
  •  Built-in License—Cisco ISE comes with a built-in evaluation license, which is valid for 90 days. The evaluation license includes both base and advanced packages and limits the number of endpoints to 100 for both the base and advanced packages. Therefore, it is not required to install a regular license immediately upon installation.
  •  Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
  •  Concurrent Endpoint Count—The Cisco ISE license includes a count value for base and advanced packages, which restricts the number of endpoints that use those services. The count value is the number of endpoints across the entire deployment that are concurrently connected to the network and accessing the service.
  Please check the below links which can give your better understanding:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_license.html

• ISE disk system IOPS

              Clarifying the ISE vmware appliance specifications, Can anyone provide me the ISE hardware requirement for disk system IOPS equivalent to an SNS-3495?
  Thanks much,
  David D.

                   http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_vmware.html
  Cisco ISE Appliance
  3495
  3415
  Endpoint Supported
  20,000
  5,000
  CPU
  2 X Quad Core
  2.4 GHz 
  Intel Xeon
  1 X Quad Core
  2.4 GHz 
  Intel Xeon
  CPU Model
  E5-2609
  E5-2609
  # of Cores per CPU
  4
  4
  # of Threads per CPU
  4
  4
  Total CPU's
  8
  4
  Intel® Hyper-Threading Technology
  No
  No
  Memory
  32 GB
  16 GB
  Hard Disk
  2 x 600GB 6Gb   SAS 10K RPM
  Raid 0 + 1
  1 x 600GB 6Gb   SAS 10K RPM
  Operating System
  64bit
  64bit

• ISE 1.2 and MDM integration.

      What kind of device information I can collect by MDM integartion with ISE.              

  Hello,
  ISE  Release 1.2 delivers integration between Identity Services Engine and  MDM platforms, which can ensure that all mobile devices are compliant  with security policy before they are allowed to access the network. This  feature enables posture compliance assessment and network access  control of mobile endpoints attempting to access the network. The  solution also performs ongoing posture checks to ensure that devices  remain compliant and that the correct network access level is  maintained. The specific posture attributes collected by MDM partner  platforms for compliance and access policy enforcement in the Identity  Services Engine are:
  • Is the mobile device registered with MDM?
  • Does the mobile device have disk encryption enabled?
  • Does the device have PIN-Lock enabled?
  • Has the device been jail-broken/rooted?
  In  terms of global compliance, posture compliance decisions may be made by  the MDM platform instead of the Identity Services Engine. In this  scenario, additional attributes such as blacklisted applications or  presence of an enterprise data container may be checked. The MDM  platform simply informs the Identity Services Engine if a device is in  compliance, then the Identity Services Engine enforces the appropriate  network access policy.
  This  integration brings great value to MDM customers as it automates to the  device registration process. As MDM solutions are network-blind, they  can't detect a new device when it connects to the wireless network, so  the administrator needs to send a notification to the users who wish to  enroll their devices. With ISE integration, device enrollment is done  automatically when users connect their device to the Wi-Fi network.
  SNS appliances are now available with ISE 1.2 in SNS-3415-K9 and SNS-3495-K9 appliances.

• ISE 1.2 VM core

  What is the maximum of cores for an ISE 1.2? The minimum is 4 but a maximum isn't defined.

  Hi,
  You could use SNS-3495 platform that has total of 8 cores.
  VMware Appliance Specifications for a Production   Environment
  Platform
  SNS-3415
  SNS-3495
  Processor1
  Single socket Intel E5-2609 2.4 Ghz CPU
  4 total cores
  Dual socket Intel E5-2609 2.4 Ghz CPU
  8 total cores
  Memory
  16 GB
  32 GB
  Total Disk2 Space
  600 GB
  600 GB
  Ethernet NICs3
  4 x Integrated Gigabit NICs
  4 x Integrated Gigabit NICs
  Source,
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_vmware.html#wp1104790
  Thanks
  Anas