topic Re: Change clock in ISE without impacting existing device admin via TA in Network Security

Change clock in ISE without impacting existing device admin via TACACS

a.maldonado — Wed, 15 Sep 2021 09:01:21 GMT

My ISE cube is made up of two nodes. I just enabled device admin to manage a few switches/routers via TACACS and it is working as expected. However, I noticed the system clock in ISE is different to the one of the routers/switches and to that of the AD controller.

The AD controller is set up with a time zone of UTC and the clock is correct. The switches/routers is using BST and their clock is also correct. ISE has it as UTC but it is one hour behind. I thought it would be a matter of just adjusting the clock in ISE using the command clock set Sep 15 15:00:00 2021 but soon after I executed this command, I lost management access to the routers/switches via TACACS. Luckily, I did not save the configuration and rebooted ISE. When it came back up the clock went to be one hour behind again and I regained access to the NADs via TACACs.

How can I setup the clock in ISE to match that of AD and the NADs without losing management via TACACS to the existing NADs. I would also like to change the time zone in ISE from UTC to BST.

I need to solve this issue before I go ahead and configure the rest of our network devices estate to use TACACS.

Your help will be much appreciated.

Re: Change clock in ISE without impacting existing device admin via TA

balaji.bandi — Wed, 15 Sep 2021 09:08:09 GMT

First i would adviceto create a Local Account, and your AAA config should fall back to Local Admin, in case of ISE Fails - this is suggested approach always.

Seconds, changing NTP should not cause any issue as i am ware,. i would suggest to use NTP Server

If you like to change, change as below 😞 for BST)

#clock timezone GB

#ntp server x.x.x.x

# show ntp

Re: Change clock in ISE without impacting existing device admin via TA

Marvin Rhoads — Wed, 15 Sep 2021 09:13:57 GMT

Changing the timezone on an ISE server or deployment is generally not advised. It has been problematic and known to cause instability for the entire deployment. The suggested method is to rebuild new nodes with the correct desired timezone from scratch.

If your timezone is correct but reflecting the incorrect time then the suggested method is to use a valid NTP server.

Re: Change clock in ISE without impacting existing device admin via TA

Mohammed al Baqari — Wed, 15 Sep 2021 10:26:10 GMT

Hi,

Changing the timezone should not impact your TACACS access unless it went
out of sync with AD. Are you using LDAP or LDAPS with AD? For LDAPS,
changing clock might be a problem for certificate validation. That is the
only thing I can think of. Otherwise, it should be fine.

***** please remember to rate useful posts

Re: Change clock in ISE without impacting existing device admin via TA

a.maldonado — Thu, 16 Sep 2021 19:05:09 GMT

Hi Mohammed,

I am not sure if we are using LDAP or LDAPs I will find out tomorrow and get back to you.

Thank you for your reply.

Re: Change clock in ISE without impacting existing device admin via TA

a.maldonado — Thu, 16 Sep 2021 19:10:35 GMT

Hi Marvin,

The ISE cube was setup by a contractor a few months ago. The time zone is UTC and an hour and some minutes behind our AD and NADs.

I just started using it for device admin only and have a few NADs being managed via TACACS, so I guess it is going to cause problems I better d it now than later.

Thank you for your comments.

Re: Change clock in ISE without impacting existing device admin via TA

a.maldonado — Thu, 16 Sep 2021 19:15:37 GMT

I will try your suggestion Balaji tomorrow and let you know.

Will I need to use the clock command to setup the clock?

Re: Change clock in ISE without impacting existing device admin via TA

bbouchaiba — Thu, 16 Sep 2021 19:20:50 GMT

Hi,

Changing the clock will break AD as an external identity source if ISE is configured that way and will go out of sync. It happened to me.

Re: Change clock in ISE without impacting existing device admin via TA

a.maldonado — Sat, 18 Sep 2021 12:04:06 GMT

Balaji,

I was trying the commands you sent me but soon after changing the timezone I got prompted with the below messages.

% On ise distributed deployments, it is recommended all nodes be
% configured with the same time zone.
% Changing the time zone may result in undesired side effects
% Recommended to reimage the node after changing the time zone

Does anybody know if I need to remimage?

Re: Change clock in ISE without impacting existing device admin via TA

Marvin Rhoads — Sun, 19 Sep 2021 10:44:13 GMT

As I mentioned on my 9/15 reply, reimage is the strongly recommended approach. The problems that may arise due to changing the timezone manually will cause many hours of avoidable troubleshooting.

Re: Change clock in ISE without impacting existing device admin via TA

a.maldonado — Sun, 19 Sep 2021 15:22:02 GMT

Thank you Marvin,

So by reimaging the box will I have to snch it again with AD, add all the NDAs and configure the policies for network admin, etc.?

Re: Change clock in ISE without impacting existing device admin via TA

Marvin Rhoads — Mon, 20 Sep 2021 04:32:52 GMT

In a 2-node deployment you can re-image the nodes one at a time and then rejoin them.

Start with the Secondary PAN, reimage and join the deployment. Join the node to AD and once everything is synced and healthy, promote it to Primary. Then repeat for the other node.