https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578754#M540949 <HTML><HEAD></HEAD><BODY><P>When enabling pxGrid in a new ISE 2.0 deployment, should the distributed deployment be built out before enabling pxGrid on the desired nodes, or is it ok to enable it on the first node before joining the other nodes to the deployment and assigning roles?</P><P></P><P>Many thanks,</P><P>Andrew</P></BODY></HTML> Tue, 09 Feb 2016 18:33:51 GMT andrew333 2016-02-09T18:33:51Z https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578754#M540949 <HTML><HEAD></HEAD><BODY><P>When enabling pxGrid in a new ISE 2.0 deployment, should the distributed deployment be built out before enabling pxGrid on the desired nodes, or is it ok to enable it on the first node before joining the other nodes to the deployment and assigning roles?</P><P></P><P>Many thanks,</P><P>Andrew</P></BODY></HTML> Tue, 09 Feb 2016 18:33:51 GMT https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578754#M540949 andrew333 2016-02-09T18:33:51Z https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578755#M540954 <HTML><HEAD></HEAD><BODY><P>You can really do it in any order..</P><P></P><P>Basically, keep in mind, for pxGrid there are three roles:</P><OL><LI>Controller</LI><LI>Publisher</LI><LI>Subscriber</LI></OL><P>So what makes the most sense from an order of operations perspective would be to build out your entire ISE cube (deployment).&nbsp; Once all the nodes are joined &amp; assigned their normal persona (aka: role); then you can do the pxGrid certificates for each of the nodes that will participate.&nbsp; Once they're ready, enable the services on the respective nodes.</P><P></P><P>From a certificate perspective, it is usually best to use all pxGrid certificates from the same CA Root.&nbsp; It could be a company specific CA (like the one from MS) or even public roots.&nbsp; That way all pxGrid components (publishers, subscribers &amp; controller) are using certs that are signed &amp; trusted as part of the same PKI hierarchy.&nbsp; </P><P></P><P>This will also be part of my Cisco Live - Berlin session next week.</P><P></P><P>Aaron</P></BODY></HTML> Tue, 09 Feb 2016 19:20:59 GMT https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578755#M540954 Aaron Woland 2016-02-09T19:20:59Z https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578756#M540959 <HTML><HEAD></HEAD><BODY><P>Aaron,</P><P></P><P>Thanks for the quick response. My deployment will be three nodes for a geographically dispersed cube:</P><P>Node 1: PAN/Primary MnT/PSN/Primary pxGrid </P><P>Node 2: Secondary Admin &amp; MnT/PSN/Secondary pxGrid</P><P>Node 3: PSN.</P><P></P><P>Nodes 2 &amp; 3 are still in their boxes so I was wondering if it would be best to bring them up before enabling pxGrid. There is a strong desire for immediate StealthWatch integration. Thanks for your guidance.</P><P></P><P>I look forward to your Live Session (presuming it's available on ciscolive.com). </P><P></P><P>Regards,</P><P>Andrew</P></BODY></HTML> Tue, 09 Feb 2016 19:40:23 GMT https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578756#M540959 andrew333 2016-02-09T19:40:23Z https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578757#M540964 <HTML><HEAD></HEAD><BODY><P>Please be advised that pxgrid requires its own psn to run by itself on</P><P></P><P>Make sure you use deployment size of medium to support up to 5 standalone PSNs</P><P></P><P>Small deployment doesn't support splitting out psn</P><P></P><P>http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Network_Deployments_in_Cisco_ISE.html</P><P></P><P>There are docs here about pxgrid</P><P></P><P>http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html</P></BODY></HTML> Tue, 09 Feb 2016 20:41:40 GMT https://community.cisco.com/t5/network-access-control/pxgrid-implementation/m-p/3578757#M540964 Jason Kunst 2016-02-09T20:41:40Z