<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: ISE (SNS-3695) Cluster on-boarding steps in Network Access Control</title>
    <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610522#M574805</link>
    <description>&lt;P&gt;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232"&gt;@Marcelo Morais&lt;/a&gt;&amp;nbsp;- regarding the comment "&lt;SPAN&gt;Note: in&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Cisco ISE Release 3.1&lt;/STRONG&gt;&lt;SPAN&gt;,&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;EAP-TLS Authentication&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;might fail for certificates using&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;TPM module&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;on&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Windows 10&lt;/STRONG&gt;&lt;SPAN&gt;. This is an issue with the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;TPM module&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;and not with&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Cisco ISE&lt;/STRONG&gt;&lt;SPAN&gt;." - how is this ISE 3.1 specific? Do you have a bug ID or some other links for this issue?&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;thanks&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 16 May 2022 01:38:01 GMT</pubDate>
    <dc:creator>Arne Bier</dc:creator>
    <dc:date>2022-05-16T01:38:01Z</dc:date>
    <item>
      <title>ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610176#M574785</link>
      <description>&lt;P&gt;Can you please assist to provide high-level SNS-3695 appliance onboarding steps? I got ISE 3.0 shipped along with appliances.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I want to understand the sequential steps to be followed. I randomly put a few steps below, and I request your guidance and a few reference guides, and sequential order of approach to onboard these nodes. &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;1. ISE 3.0 Patch install &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;2. Migrate from 3.0 to 3.1( unable to see existing patch version running on new nodes) &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;3. License Migration from 2.X to 3.X- Can both ISE 2.x and 3.X nodes can consume ISE smart licenses? &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;4. ISE node registration cert, migrate from self-signed to Public PKI cert &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;5 Create EAP and other Portal PKI cert &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 14 May 2022 12:29:42 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610176#M574785</guid>
      <dc:creator>Anilvnair</dc:creator>
      <dc:date>2022-05-14T12:29:42Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610217#M574786</link>
      <description>&lt;P&gt;Start here:&amp;nbsp;&lt;A href="https://community.cisco.com/t5/security-documents/cisco-ise-amp-nac-resources/ta-p/3621621#Software" target="_blank"&gt;Cisco ISE &amp;amp; NAC Resources - Cisco Community&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Specifically with the admin and installation guides.&amp;nbsp; Step 1 should also be to re-image the 3695s with the 3.1 ISO as 3.1 is now the suggested release.&amp;nbsp;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Yes multiple ISE deployments can consume from the same Smart Account / Virtual Account.&amp;nbsp;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 14 May 2022 15:58:06 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610217#M574786</guid>
      <dc:creator>ahollifield</dc:creator>
      <dc:date>2022-05-14T15:58:06Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610236#M574789</link>
      <description>&lt;P&gt;Definitely use the link provided by&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199513"&gt;@ahollifield&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;3. License Migration from 2.X to 3.X- Can both ISE 2.x and 3.X nodes can consume ISE smart licenses?&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;-Yes. Note that the license model between 2.x and 3.x has changed.&amp;nbsp; Any 2.x model type licenses will require TAC to migrate.&amp;nbsp; Have a peek here:&amp;nbsp;&lt;A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html" target="_blank"&gt;https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 14 May 2022 16:55:53 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610236#M574789</guid>
      <dc:creator>Mike.Cifelli</dc:creator>
      <dc:date>2022-05-14T16:55:53Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610268#M574790</link>
      <description>&lt;P class="lia-align-justify"&gt;Hi&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/425519"&gt;@Anilvnair&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;I would like to add the following points:&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;. &lt;STRONG&gt;ISE 3.1&lt;/STRONG&gt; is the &lt;STRONG&gt;Suggested Release:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;a. &lt;STRONG&gt;Patch 3&lt;/STRONG&gt; is the latest patch, but very new: &lt;STRONG&gt;May 2nd&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;b. &lt;STRONG&gt;Patch 2&lt;/STRONG&gt; is a &lt;STRONG&gt;Deferred Release&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;c. &lt;STRONG&gt;Patch 1&lt;/STRONG&gt; (&lt;STRONG&gt;Dec 7th&lt;/STRONG&gt;), you also need to install the &lt;STRONG&gt;LOG4J2-FIX-3.1PATCH1&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Note: in &lt;STRONG&gt;Cisco ISE Release 3.1&lt;/STRONG&gt;, &lt;STRONG&gt;EAP-TLS Authentication&lt;/STRONG&gt; might fail for certificates using &lt;STRONG&gt;TPM module&lt;/STRONG&gt; on &lt;STRONG&gt;Windows 10&lt;/STRONG&gt;. This is an issue with the &lt;STRONG&gt;TPM module&lt;/STRONG&gt; and not with &lt;STRONG&gt;Cisco ISE&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;. &lt;STRONG&gt;ISE 3.0&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;a. &lt;STRONG&gt;Patch 5&lt;/STRONG&gt; is the latest patch (&lt;STRONG&gt;Jan 31th&lt;/STRONG&gt;), for this patch you &lt;U&gt;don't&lt;/U&gt; need to install the &lt;STRONG&gt;LOG4J2-FIX-2.4-3.0&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Hope this helps !!!&lt;/P&gt;</description>
      <pubDate>Sat, 14 May 2022 20:30:02 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610268#M574790</guid>
      <dc:creator>Marcelo Morais</dc:creator>
      <dc:date>2022-05-14T20:30:02Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610522#M574805</link>
      <description>&lt;P&gt;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232"&gt;@Marcelo Morais&lt;/a&gt;&amp;nbsp;- regarding the comment "&lt;SPAN&gt;Note: in&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Cisco ISE Release 3.1&lt;/STRONG&gt;&lt;SPAN&gt;,&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;EAP-TLS Authentication&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;might fail for certificates using&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;TPM module&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;on&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Windows 10&lt;/STRONG&gt;&lt;SPAN&gt;. This is an issue with the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;TPM module&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;and not with&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Cisco ISE&lt;/STRONG&gt;&lt;SPAN&gt;." - how is this ISE 3.1 specific? Do you have a bug ID or some other links for this issue?&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;thanks&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 16 May 2022 01:38:01 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610522#M574805</guid>
      <dc:creator>Arne Bier</dc:creator>
      <dc:date>2022-05-16T01:38:01Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610531#M574808</link>
      <description>&lt;P class="lia-align-justify"&gt;Hi&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532"&gt;@Arne Bier&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;please take a look at &lt;A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html" target="_blank" rel="noopener"&gt;ISE 3.1 Release Notes&lt;/A&gt;., search for&amp;nbsp;&lt;STRONG&gt;EAP-TLS Authentication Might Fail for Certificates Using TPM Module&lt;/STRONG&gt;., and&amp;nbsp;&lt;A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb19635" target="_blank" rel="noopener"&gt;CSCwb19635&amp;nbsp;ISE 3.1 EAP-TLS authentications might fail with certificates installed in TPM module&lt;/A&gt;.&lt;BR /&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TPM Module.png" style="width: 714px;"&gt;&lt;img src="https://community.cisco.com/t5/image/serverpage/image-id/151273iA8A975E095EB8D50/image-dimensions/714x526?v=v2" width="714" height="526" role="button" title="TPM Module.png" alt="TPM Module.png" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Regards&lt;/P&gt;</description>
      <pubDate>Mon, 16 May 2022 01:58:26 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610531#M574808</guid>
      <dc:creator>Marcelo Morais</dc:creator>
      <dc:date>2022-05-16T01:58:26Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610566#M574810</link>
      <description>&lt;P&gt;thanks&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232"&gt;@Marcelo Morais&lt;/a&gt;&amp;nbsp; - charming, isn't it? As if 802.1X wasn't tricky enough &lt;span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:"&gt;😄&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I am not sure why this is listed under ISE 3.1 only - does that mean it was only found by a customer running ISE 3.1, and would not affect other ISE implementations?&amp;nbsp; The way I read that Release Note, it sounds very much 3.1 specific. Or did I miss something?&lt;/P&gt;</description>
      <pubDate>Mon, 16 May 2022 04:08:34 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610566#M574810</guid>
      <dc:creator>Arne Bier</dc:creator>
      <dc:date>2022-05-16T04:08:34Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610800#M574813</link>
      <description>&lt;P class="lia-align-justify"&gt;Hi&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532"&gt;@Arne Bier&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;I agree with you, not only it looks like a &lt;STRONG&gt;3.1 specific&lt;/STRONG&gt; in the &lt;A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html" target="_blank" rel="noopener"&gt;ISE 3.1 Release Notes&lt;/A&gt;, but also at the&amp;nbsp;&lt;A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb19635" target="_blank" rel="noopener"&gt;CSCwb19635 Conditions description&lt;/A&gt;: "... &lt;STRONG&gt;ISE 3.1&lt;U&gt;+&lt;/U&gt;&lt;/STRONG&gt; ...".&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;Please take a closer look to:&amp;nbsp;&lt;A href="https://docs.microsoft.com/en-us/answers/questions/467673/windows-10-tpm-20-client-authentication-in-tls-12.html" target="_blank" rel="noopener"&gt;Windows 10 TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS making trouble&lt;/A&gt;.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;"&lt;EM&gt; ...&amp;nbsp;By &lt;U&gt;disabling&lt;/U&gt; &lt;STRONG&gt;RSA PSS&lt;/STRONG&gt; on the &lt;STRONG&gt;Client&lt;/STRONG&gt;, the &lt;STRONG&gt;Client&lt;/STRONG&gt; &lt;U&gt;uses another cipher to sign the packet and then it works&lt;/U&gt;. ...&lt;/EM&gt; "&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;"&lt;EM&gt; ...Keep in mind that this is &lt;U&gt;only a workaround&lt;/U&gt; and should not be used as a final solution. We are actually &lt;U&gt;still working with&lt;/U&gt; &lt;STRONG&gt;Microsoft&lt;/STRONG&gt; on a solution. It's still &lt;U&gt;not 100% clear&lt;/U&gt; if it's the &lt;STRONG&gt;TPM&lt;/STRONG&gt; that is making the issue or if it is the &lt;STRONG&gt;OS&lt;/STRONG&gt;. ...&lt;/EM&gt; "&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Maybe versions of &lt;STRONG&gt;ISE&lt;/STRONG&gt; &lt;U&gt;earlier than 3.1&lt;/U&gt; handle &lt;STRONG&gt;RPA PSS&lt;/STRONG&gt; differently than &lt;STRONG&gt;ISE 3.1&lt;/STRONG&gt;.&lt;/P&gt;</description>
      <pubDate>Mon, 16 May 2022 11:03:16 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4610800#M574813</guid>
      <dc:creator>Marcelo Morais</dc:creator>
      <dc:date>2022-05-16T11:03:16Z</dc:date>
    </item>
    <item>
      <title>Re: ISE (SNS-3695) Cluster on-boarding steps</title>
      <link>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4612355#M574847</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532"&gt;@Arne Bier&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;take a look at the following post: &lt;A href="https://community.cisco.com/t5/network-access-control/tls-handshake-fail-ise-3-1/m-p/4608832#M574726" target="_blank" rel="noopener"&gt;TLS Handshake fail ISE 3.1&lt;/A&gt;.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;" ... Opened a &lt;STRONG&gt;TAC Case&lt;/STRONG&gt; and it seems that &lt;STRONG&gt;3.1&lt;/STRONG&gt; using a &lt;U&gt;different&lt;/U&gt; &lt;STRONG&gt;SSL library/version&lt;/STRONG&gt;. In &lt;STRONG&gt;Patch 4&lt;/STRONG&gt; which should arrive in &lt;STRONG&gt;October&lt;/STRONG&gt; you're able to choose the &lt;U&gt;different&lt;/U&gt;&amp;nbsp;&lt;STRONG&gt;Ciphers,&amp;nbsp;ISE&lt;/STRONG&gt; will use to negotiate with the &lt;STRONG&gt;Client&lt;/STRONG&gt; so you can &lt;U&gt;disable&lt;/U&gt; the &lt;STRONG&gt;RSA PSS&lt;/STRONG&gt; which causes this problems... "&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Regards&lt;/P&gt;</description>
      <pubDate>Wed, 18 May 2022 13:12:49 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/ise-sns-3695-cluster-on-boarding-steps/m-p/4612355#M574847</guid>
      <dc:creator>Marcelo Morais</dc:creator>
      <dc:date>2022-05-18T13:12:49Z</dc:date>
    </item>
  </channel>
</rss>

