With Ali Mohammed
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about what’s new in Cisco Identity Services Engine (ISE) Version 1.2 and to understand the new features and enhanced troubleshooting options with Cisco expert Ali Mohammed.
Cisco ISE can be deployed as an appliance or virtual machine to enforce security policy on all devices that attempt to gain access to network infrastructure. ISE 1.2 provides feature enrichment in terms of mobile device management, BYOD enhancements, and so on. It also performs noise suppression in log collection so customers have greater ability to store and analyze logs for a longer period.
Ali Mohammed is an escalation engineer with the Security Access and Mobility Product Group (SAMPG), providing support to all Cisco NAC and Cisco ISE installed base. Ali works on complicated recreations of customer issues and helps customers in resolving configuration, deployment, setup, and integration issues involving Cisco NAC and Cisco ISE products. Ali works on enhancing tools available in ISE/NAC that are required to help troubleshoot the product setup in customer environments. Ali has six and a half years of experience at Cisco and is CCIE certified in security (number 24130).
Remember to use the rating system to let Ali know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through September 6, 2013. Visit this forum often to view responses to your questions and the questions of other community members.
my question today about the variation of deployment models for ISE and how to utilize ISE Physical Applicances (ISE & SNS) with spread deployment such as some nodes are physical and the rest are virtual.
ISE has different persona's which can be combined on an ISE node. For example an Administration Persona can be combined with a Monitoring Persona on a node. So when I am saying an ISE node, it can be either an ISE appliance or a SNS-34x5 appliance or a VM with similar specifications. Customers can chose any of the above 3 based on their scale of deployment.
Let me take an example of a Mid-sized deployment. We need 2 Administration Persona's,(Active, Standby), 2 Monitoring Persona's(Active, Standby) and 3-4 Policy Service Persona's. We can implement this using a 6 node deployment like below:
1. SNS-3495 or a VM with Similar Specifications: Primary Administration Persona, and Secondary Monitoriing Persona
2. SNS-3495 or a VM with similar specicications: Secondary Administration Persona, and Primary Monitoring Persona
3. 3-4 Numbers of SNS-3915's or VM's with similar specifications: PSN Persona
Please note that this is an example, the real deployment should take into account the number of endpoints, amount of logs to be stored etc factors.
Please refer to the document
http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html for clear understanding.
How can administrators effectively troubleshoot issues in ISE solution easily and save time? What are the different troubleshooting options available in 1.2?
ISE 1.2 has excellent troubleshooting in Admin CLI.
There is no need of applying TAC troubleshooting via root-patch now in 1.2. Customers can see logs without applying root-patch.
Please play around with the admin-cli "show logging application xxxx" with "tail" and "include" options to get a feel of it.
Suppose you are troubleshooting a node-joining issue, you can issue below command while adding a node:
"show logging application deployment.log tail"
Another example, if you are troubleshooting repository/backup failing scenario
"show logging system ade/ADE.log tail",
Troubleshooting profiler issue
"show logging application profiler.log tail "
Performance metrics can also be collected from cli using "tech dumptcp/iostat/mpstat/netstat/top/vmstat" commands.
So you have a lot of better tools in 1.2 useful in troubleshooting issues live using SSH CLI.
Hope this helps.
How do you go about migrating from a NAC solution to an ISE solution when the existing NAC agent from the NAC solution is not supported on the ISE solution? Example, our existing NAC agent version is 4.9.3 and the only supported NAC agent on version 1.2 of the ISE is 4.9.0
Sent from Cisco Technical Support iPhone App
Hello Rick Daoust,
Currently we are working on a Common Agent for both NAC and ISE solutions. Once this agent is available, customers should be able to upgrade their NAC Agent, and migrate to ISE Solution.
In the meanwhile administrator has to uninstall the NAC Agents on the client machines before migration. This can be done either manually or using patch management utilities like SMS/Altiris etc. Pushing GPO scripts is also an option.
Once the agent is uninstalled, the client can now authenticate to ISE and can download the new ISE Agent from the Client-Provisioning URL's serviced by ISE to NAD's like swithes or WLC's.
The solutions provided, such as using a GPO or SMS software aren't applicable in my environment. We are a community college with the majority of devices being student owned notebooks which aren't manage by the IT Dept. Since the ISE server detects that the existing clients already have a NAC agent installed, should it not also be able to detect that this agent is a Clean Access NAC agent and uninstall the old Clean Access agent and install the new ISE NAC agent? Currently, all our returning students have the Clean Access NAC agent installed if there is no way for Cisco to uninstall the Clean Access NAC agent and then install the new ISE NAC agent or simply overwrite the existing Clean Access NAC agent with the ISE NAC agent my ServiceDesk will be overwhelmed by returning students not able to gain access to the network. Also, I'm sure I'm not the only education client moving or thinking of moving from a Clean Access solution to an ISE solution. I believe Cisco should mention this caveat to its clients migrating from a Clean Access solution to an ISE solution.
Sent from Cisco Technical Support iPhone App
We currently have a two-node deployment running 184.108.40.206, as depicted in diagram:
After step 1 is done, node B becomes the new primary node.
What's the license impact at that stage, when the license is mainly tied to node A, the previous primary PAN?
Step 3 says to obtain a new license that's tied to both node A & node B, as if it's implying an issue would arise, if we leave node B as the primary PAN, instead of reverting back to node A.
When step 1 is completed, node B runs 1.2, while node A runs 220.127.116.11.
Do both nodes still function as PSN nodes, and can service end users at that point? (before we proceed to step 2)
Both nodes are behind our ACE load balancer, and I'm trying to confirm the behavior during the upgrade, to determine when to take each node out of the load balancing serverfarm, to keep the service up and avoid an outage.
According to the upgrade guide, we're supposed to perform a config backup from PAN & MnT nodes.
Is the config backup used only when we need to rollback from 1.2 to 1.1.3, or can it be used to restore config on 1.2?
It also says to record customizations & alert settings because after the upgrade to 1.2, these settings would change, and we would need to re-configure them.
Is this correct? That's a lot of screen shots we'll need to take; is there any way to avoid this?
It says: "
Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and onboarded again."
Exactly how do you disable services? Disable all the authorization policies?
The 1.1 user guide says the maximum number of nodes in a node group was 4.
The 1.2 guide now says the maximum is 10.
Is there a hard limit on how many nodes can be in a node group?
We currently don't use node group, due to the lack of multicast support on the ACE-20.
Is it a big deal not to have one?
Apologies for delay. Here are the responses:
1. There is no license impact at this stage. The doc need to be corrected. The intention though is to make sure one re-promotes the Admin node back such that any future licenses are based on the existing node-A license.
2. Yes both will run PSN service. For Loadbalancing consistency, you can test the new PSN for authentications after upgrade, and then mark the PSN running 1.1.3 as dead in LB. You can reactivate it after upgrade is completed.
3. The config backup is a database backup. We support restoring 1.1.3 databse on 1.2 images too. So this would be helpful in multiple ways in case the upgrade is not smooth.
Unfortunately, there is no alternative to recording the customization and alert settings. Aplogies for that.
Disabling services is mentioned here in the context of not adding delta users/endpoints during the upgrade process. In order to do so, you might want to disable individual profiler/authorization polcieis and Guest Authorization pages. But since we are already removing the old PSN(1.1.3) from LB farm, this should suffice in terms of not adding any additional users/guests/endpoints in the interim.
4. 10 PSN nodes in a node-group is a hard limit. Node-groups are especially useful when there are under-process authentications and a PSN fails. The other PSN's in the node-group will detect this failure and send COA to the NAD devices so the client is initiating re-authentication.
My issue is a bit complicated, as I currently have a pair of ISE 18.104.22.1688 VMs, both running policy. One primary Admin, and one primary MNT. The issue is that upgrading to any new version is going to be very difficult. The original installer of these VMs only used a size of 200GB for storage. The recommandation is now 600GB. The only way to upgrade is to 100% rebuild my VMs, install 22.214.171.1248, and then upgrade to a newer version (1.1.3, etc.).
I have two main concerns/problems:
1. This is a production environment, and authentications need to happen basically 24x7.
2. I don't know how to properly migrate my public & private certs for these two systems.
I would love to move off of 1.1.1, but right now, I don't know the easiest process to accomplish this.
Any advice/suggestion would be most appreciated.
I would suggest you to take a backup of your current database, include certs, and any custom profiling policies...etc (basically follow the release notes). Then reimage the box with new release in off peak hour and restore your old database, ISE 1.2 can now detect the older version of db and will upgrade it.
doing this in a zero-downtime window is very difficult as certificates are tied to hostname/ip-address of the nodes and bringing up another pair of nodes with similar hostnames will create issues in the network.
Please propose for a downtime, perform certificates/configuration backup, suspend the existing VM's, create new ISE 1.2 600Gb VM's based off ISO and import the certificates and configuration backup on the primary.
this should take care of it.
I completed the upgrade to our 5 ISE nodes yesterday and it's working ok apart from one thing. We have 1500 basic licenses and 250 advanced licenses and the advanced licenses are normaly no higher than 50-60 but since the upgrade, the license usage has increased (as each node was upgraded) to 500-600 and it sees to be staying around there. The profiler activity graph indicates that the profiler is as busy as it used to be so I guess something's stuck?