Ise distributed deployment upgrade

Similar Messages

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• ISE Distributed Deployment

  Hi All,
  Deploying multiple PSN's with a  distributed deployment, do all the PSN's have to be in the same domain? I  have 8 set up in one domain, and would like to run a few more through  firewalls and using a different dns domain.
  Also interested to see  how AD integration works with this. I'd still expect to join the nodes  to the common AD domain. Would they be able to join an AD domain which  isn't linked with their FQDN?
  I'm hoping that running the other policy nodes on an external domain, I can use a standard CSR for the external public certs.
  All comments, suggestions, spoliers welcomed! Question is out to Cisco but I know the value of these forums too.

  Hi,
  You will have to join all ISE nodes to the same AD domain since the policy for user enforcement (for any external conditions) is configured at the Primary Admin node and replicated down to the PSNs. However, if you choose to configure a different dns domain for one PSN and then join it to the command AD domain, the only issue I see with this is SAMAccount name being sent in the username and not the UPN.
  If a user requests authentication with johndoe and your AD domain is abc.com but your dns domain is def.com, then ISE will try to authenticate [email protected] (from my experience), there have been some improvements where ISE should be able to note that this is an authentication request and should suffix the request with [email protected] but I am not 100 percent sure.
  If you have a cisco account rep (with your deployment size I am absolute sure you do) have them ping the BU on this issue and see what the official response is.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE NODE NOT REACHABLE when building distributed deployment

  I am trying to build a distributed deployment with the following personas:
  2 policy admin nodes
  2 monitoring nodes
  4 policy service nodes
  This was a project that was partially implemented but never in production. It was in a distributed deployment, but half the nodes were no longer working (http errors or devices weren't reachable or could not sync). I decided to start from scratch. All nodes were:
  -de-registered
  -application was reset to factory defaults on all nodes
  -upgraded all 8 nodes to 1.1.4.218 patch 1
  -installed all new certs and joined all nodes to the domain
  -added to DNS forward and reverse lookup zones
  When I make 1 admin node primary and register the other nodes (secondary admin, monitoring, policy services) the nodes successfully register and show up in the deployment window of the primary; however, all the nodes show as NODE NOT REACHABLE. After registration, I've noticed that the registered nodes are still showing as STANDALONE if I access the GUI. I've tried rebooting them manually after registration and they are still unreachable. I have also tried resetting the database user password from the CLI on both admin nodes and the results are always the same.

  Originally I had added them all at the same time. I thought that maybe I just wasn't waiting long enough for the sync. I waited an entire day and all the nodes were still unreachable. At this point, I've de-registered all the nodes, rebooted all the nodes, converted the primary back to standalone (the remaining nodes never converted from standalone to distributed even when I rebooted them after registering despite a message that they were successfully registered), converted one node back to primary and tried to register just the secondary admin node giving it plenty of time to sync; this node is still not reachable from the primary.
  I've quadruple checked the certificates on all the nodes, these certs were all added on the same day (just last week) and the default self-signed certs were removed.
  I had restored from a backup on the primary so I might just rest the config on that node and try joining the other nodes before I restore again.

• ISE PSN rebooted and will not rejoin distributed deployment

  Hi,
  A PSN was powered down by accident and I'm trying to register it back to its PAN as part of a distributed deployment but I keep getting the error message "ISE not in Standalone mode".
  I'm not sure how to set the PSN node back to Standalone mode when it's no longer part of the deployment.
  Thanks for any help.
  Barry

  Hi,
  Yes Deregister the PSN from the PAN after deregistration this node become Standalone node.

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• ISE's Internal Root CA. How to generate new one in distributed deployment?

  Hello,
  I have two ISE nodes in distributed deployment. I would like to generate new Internal Root CA certificate. I was able to do that from primary node, but only FOR primary node. How can I achieve this for the other node?
  Best Regards,
  Marek

  Hi Marek-
  All of the certificate management is performed from the Admin Node which becomes the Root CA for the ISE PKI. You generate Subordinate CA certificates to your Policy Nodes from the Primary Admin node. Check this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#task_FF93B4C51BAC4CA196A48B607DAA595D
  Also, since the primary node is the Root CA, you should export the certificate and the private key and import it to your secondary Admin node. This will enable the secondary node to be promoted to a Root CA in case of a failure of the primary admin node:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_435C4E3FF56949B1B4D5A0C73671AB22
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.1.1 to ISE 1.2 upgrade path for ISE node

  Hi,
  Currently in ISE deployment , we have  2 ISE nodes with 1.1.1.268 version  with latest patch,
  ISE nodes hold following  personas
  Node1 :  Admin, Monitoring ,  PSN
  Node 2 : PSN
  How will above deplyoment should be upgrade to 1.2 ?
  In which order they should be upgraded  ?   Any supporting doc covering above deployment for ISE 1.2 upgrade .

  Kindly check the following links for references
                 http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.pdf
                 http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.pdf
                 https://www.cisco.com/en/US/docs/security/ise/1.2/open_source_license/Cisco_Identity_Services_Engine_1.2_Open_Source_Documentation.pdf

• ISE Guest deployment

  Hi 
  Im setting up a ISE (1.3) in distributed deployment with a primary and secondary node.
  Both nodes are running admin and PSN role.
  The 2 nodes are up and running and synchronised, and now i want to set up a CWA guest solution.
  So my question is:
  In case I need to do a failover to the secondary node how do we need to do the DNS registration of the portal url ? 
  Do I have to have a uniqe url for each ISE or do I need to set up the DNS pointing to both of the ip addresses that is set up on the interface of the ise that is used for the guest portal.
  And also a seperate public cert on each ISE pointing to the CN ?
  Hope my question was understandable :)

  Redundancy for the sponsor portal falls into two categories.  With load-balancers and without load-balancers.  In both two node environments and and more than two nodes the design is the same.
  With network loadbalancers you simply create a VIP for port 8443 and use the PSNs as member servers.  Then simply configure the DNS hostname that is configured in the sponsor portal to the VIP.  
  The other options are DNS based.  You can simply have two A records for the sponsor.example.com and DNS will naturally round robin between the records.   The last option is to use a DNS load-balancer to accomplish the same task as the round robin, but with more control over which record is used when. 
  As for the cert the recommendation for using loadbalancers is to have a shared cert on all of your PSNs.  the cert should contain both the FQDN of the sponsor portal and the hostnames of all of your PSNs if you are planning on using the same cert for EAP and not just HTTPS.
  Here is the documentation on how to use F5 Big IP load-balancers 
  http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf

• ISE HA Deployment prerequisite issue.

  I encountered this HA node deployment issue.Actually , I finished this feature with the enviroment of CA and DNS.However,Can I finish ISE‘s HA deployment without CA and DNS.
  When I adding the second ISE node to the first one,I fill the blank with the second ISE's server IP address,the system notification indicates that Unalbe to authenticate xxx.Please check server and CA certificate configuration and try agian.
  After that notification, I deploy the CA and DNS server.Also I signed the certificate and install the root CA for both ISE nodes,DNS records also be done.After that,I fill the blank with second ISE's FQDN and administration account .It can be done successfully.
  So if my enviroment doesn't have CA and DNS.Does that mean I can't finish ISE'S HA function?
  Any help or suggestion will be appreciated!

  Hi,
  You can not do ISE HA deployment without CA and DNS.
  DNS :  When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.
  CA :  During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:
  -If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.
  -If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.
  -If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.

• BI server is not starting when deploying upgraded RPD

  Hi,
  I am new to OBIEE 11g. In my project I hv an existing 10g rpd. I upgraded it to 11g .5 version. I restarted all the services. When I deploy upgraded RPD, biserver is getting down. But if i deploy SampleAppLite.rpd(oracle provided) ,all services are starting. only for my rpd bi server is getting down.
  I am not sure where it could be the problem..
  Pls help.
  Thanks,
  Smita

  Hi,
  This is a behaviour change when we move from 10g to 11g. In BI EE 10g, there was no Oracle Client bundled along with BI EE. So, BI EE will use your Oracle DB Home client to connect to the database. Generally no issues in that case. But in BI EE 11g, the software itself contains the 11.2 DB client. So, when you try to connect to the database through the Repository or BI Server, it will try to find the tnsnames entry in the Oracle Client of BI EE 11g instead of your database. There are 2 options to work around this
  1. Copy your tnsnames.ora to {Oracle_BI1}\network\admin directory & {oracle_common}\network\admin directory (only the former is needed as that is the ORACLE_HOME)
  2. Or instead of tnsnames.ora source entry, use the full expanded tnsnames as shown below
  (DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 172.16.66.173)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = orcl)))
  Both of the above will work.
  For More info:
  Cannot connect to Database from the OBIEE 11g upgraded RPD

• ISE 1.3 Upgrade fails

  Hi All
  I did upgrades from 1.2.1.198 to 1.3. With one box (SNS-3495-K9) out of four I have a problem.
  I've tried it many times, I even made it to a standalone and did an application reset-config ise to initialize the box prior updating, but it always fails at step 40.
  - Data upgrade step 40/67, CertMgmtUpgradeService(1.3.0.616)... % Error: ISE Global data upgrade failed!
  Rolling back the configuration database...
  Starting application after rollback...
  % Error: The node has been reverted back to its pre-upgrade state.
  % Application install or upgrade cancelled.
  Any Idea ?
  Thanks Thomas

  Upgrade Failures
  During upgrade, the configuration database schema and data upgrade failures are rolled back automatically. Your appliance would return to the last known good state. If this is encountered, the following message appears on the console and in the logs:
  % Warning: The node has been reverted back to its pre-upgrade state.
  error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
  % Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
  In case of upgrade failures, before you try to upgrade again:
   Analyze the logs. Check the application bundle for errors.
   Identify and resolve the problem by submitting the application bundle that you generated to the Cisco Technical Assistance Center (TAC).

• Upgrading to ISE 1.3 error ISE Global data upgrade failed!

  HI,
  Has anyone come across this issue? when upgrading, it seems to start all well but then this happens:
  - Data upgrade step 40/67, CertMgmtUpgradeService(1.3.0.616)... % Error: ISE Global data upgrade failed!
  Rolling back the configuration database...
  Starting application after rollback...
  % Error: The node has been reverted back to its pre-upgrade state.
  % Application install or upgrade cancelled.
  I've also upgraded it to the latest patch and tried again but to no avail. This is an appliance (3415) that came shipped with 1.2. It's not been configured other than the initial cli wizard. I've upgraded a fair few appliances but I haven't seen this issue come up before. Any thoughts? 
  Thanks in advance for any info...

  If this is a test setup then you can do fresh ISE install.back up existing config and restore it to 1.3. If its production then contact TAC

• ISE Profiling Deployment

  We are starting a ISE deployment to segregate mobile devices (Iphones and IPads, initially) from corporate notebooks. We have a single SSID and two separate vlans, one for mobile devices and another for corporate notebooks, assigned by ISE. We successfully setup profiling in lab environment, with a few devices, but when we put in production  we had problems with devices not being profiled correctly. Since devices are not profiled their access are denied. Since devices are denied the cannot be profiled because ISE doesn´t see any traffic (DHCP, HTTP) from clients.
  What strategy are you using to deploy ISE profiling? Must I put ISE to listen our network for some time before segregating access?

  Hi
  I've had the same problem with first time users being denied, that's due to ise not being able to profile before it denies.
  I think they should come up with something that will profile devices then continue the authentication process.
  Someone mentioned doing a re-auth for couple of seconds. (see attached pic how the authorization rule looks like), that could save you from people being denied for the first time, but if your device is never being profiled then it will just spin there all the time re-authenticating.
  What you could do is also setup an unrouted VLAN and all the unknown devices stay there until profiled.
  I've talked to cisco and they recommened the same thing so I guess that's it for now
  What we have done before deploying ISE and it worked pretty good is I have forwarded all DHCP traffic to ISE before deploying ISE at that particular site, so DHCP forwarding ran for few days and I've already had their devices in my database and when I deployed it, it worked pretty neat
  By forwarding all dhcp requests I mean:
  We have Active Directory and DHCP servers centrally located, so in the router config I've added helper address to ISE ip address and that's it
  Now WLC 7.3 has DHCP PROFILING and HTTP PROFILING options.
  Http profiling sends first https packets to ISE and capturing USER-Agent string, that helps if you browse with safari, but if you use any other application that uses http traffic it will end up totally wrong.
  example you connect with your iphone to wifi and open up VIBER, ISE will capture viber_blabla_smth as user agent and will not profile accurately.
  Hope it helps

• Upgrading a distributed deployment to ise 1.2, licensing

  The current deployment is a 5 nodes (2adm 1mon 2psn)
  what the docs report is:
  You do not have to manually deregister the node before an upgrade. Use the application upgrade command to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the license file for the Primary Administration node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco Technical Assistance Center for assistance.
  we have a 10k base licence+ 100 advanced (only pri adm registered)
  deployment is 1y old
  what happens after the secondary admin node has been upgraded to 1.2?
  will it be accessiblevia gui? will it have a new grace period licence? will it use the other admin node licence?
  this cause during the upgrade we will need to check the "new" 1.2 admin status to proceed with the other nodes...
  thank you

  For distributed deployments, the upgrade  process follows a Split Deployment model. After you upgrade the  secondary Administration node to the new release, Cisco ISE creates a  new deployment. The secondary Administration node from the old  deployment becomes the primary Administration node in the new  deployment. When you upgrade the rest of the nodes in the old  deployment, they join the new deployment.
  When you upgrade the secondary Administration node from the old  deployment, it saves the old deployment configuration       and also  notifies the primary Administration node of the upgrade. The primary  Administration node in the old deployment notifies the other nodes about  the upgrade. After upgrade, the nodes from the old deployment join the  primary Administration node in the new deployment. The upgrade process  retains licenses and certificates. You do not have to reinstall or  reimport them. Cisco ISE, Release 1.2, supports license files with  two-node unique device identifiers (UDIs). You can request for a new  license with the UDI of both the primary and secondary Administration  nodes. See the Cisco Identity Services Engine Hardware Installation Guide for details.
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html