topic Re: Add 2 Separate Cisco ISE Deployment Configurations into a New Deployment in Network Access Control

Add 2 Separate Cisco ISE Deployment Configurations into a New Deployment

jj2048 — Sun, 12 Jul 2020 04:51:52 GMT

Objective:
- To combine configurations of two separate (2.3) ISE deployment into a (2.7) new deployment.
- To refresh the old deployments (2 existing deployment)

Overview:
There are two separate deployments, and the new deployment must have both of the configurations of the two separate deployments. Each deployment has a different domain services and internal certificates.

Configurations: Policies, Profiles, Network devices, User accounts and etc..

New Deployment: Located on 2 different sites, and will use new IP addresses and Hostnames, and latest versions.

Question(s):

1. Are there options to merge/add 2 different deployment configurations into the new deployment?
(Update*)A: No

2. Is it possible to make a 2 node deployment with different domain, but both nodes are reachable from the 2 DNS. (Will try this on lab for the meantime)
(Update*)A: Yes

Follow up Question(s):

3. Should I import the 2nd Site's Certificate chain as well on the Primary Node.

- I've noticed that after deploying it as Primary and secondary, the trusted certificates did not contain the ISEPAN-CORP02's trusted certificate chain I imported before it became as secondary.

4. Will this setup pose any problems in the future? (Two separate domained ISEPAN on each site deployed as Primary and Secondary)

Thank you.

Re: Add 2 Separate Cisco ISE Deployment Configurations into a New Deployment

hslai — Sat, 11 Jul 2020 21:41:20 GMT

1. Are there options to merge/add 2 different deployment configurations into the new deployment?

No. You need manually add the configurations from the 2nd to the 1st.

2. Is it possible to make a 2 node deployment with different domain, but both nodes are reachable from the 2 DNS. (Will try this on lab for the meantime)

This seems about two DNS domains. Yes, we may have multiple DNS domains. However, the DNS servers configured in ISE needs able to resolve both/all these DNS domains.

In case multiple MS AD domains, ISE may use one single AD join point if the AD domains have 2-way trusts. Else, ISE may use two AD join points and one for each AD domain. Still, the DNS servers configured in ISE need able to resolve both AD domains.

Re: Add 2 Separate Cisco ISE Deployment Configurations into a New Deployment

jj2048 — Sun, 12 Jul 2020 04:20:37 GMT

Hi, hslai.

Appreciate the response.

Question 1 is answered and I accept it.
Question 2 below is the environment I've set up on our lab.
A: Yes, we can deploy ISE as primary and secondary under two domains, as long as it is resolvable.

Environment:

2 Sites with 2 Different domains
Corporate 1 and Corporate 2
Both have two tier PKI and each of their ISE in the beginning as standalone has a certificate signed by each of corporate's SubCA respectively.
ISEPAN-CORP01 and ISEPAN-CORP02 both has dns of each site, and are resolvable either way.

Deployment:

I've imported each PAN their respective certificate chain on the trusted certificate.
I've successfully deployed the PANs as primary and secondary node under two different domains.

Follow up Question:

3. Should I import the 2nd Site's Certificate chain as well on the Primary Node.

- I've noticed that after deploying it as Primary and secondary, the trusted certificates did not contain the ISEPAN-CORP02's trusted certificate chain I imported before it became as secondary.

4. Will this setup pose any problems in the future? (Two separate domained ISEPAN on each site deployed as Primary and Secondary)
Thank you.