Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1775
Views
5
Helpful
2
Replies

ISE clustering and Wireless Setup (Beta BYOD)

MikeFulstow
Level 1
Level 1

‎10-15-2019 05:29 PM

 

I am building an ISE lab cluster for testing BYOD. This setup will mirror our production cluster.

 

The ISE deployment is 4 x Internal ISE servers (2 x PAN nodes PRI and SEC plus 2 x PSN nodes PRI and SEC) and 2 x DMZ ISE servers (PSN PRI and SEC). These are all ESXi VMS running version 2.4.0.357 with Patch 10 applied to overcome the AD null groups bug for the BYOD workflow. I have a couple of questions: firstly regarding the clustering and then one regarding the BYOD WorkFlow.

 

1. I have clustered and synched 5 nodes of the cluster - the sixth node is  DMZ PSN SEC instance - when I tried to register this initially I got the import certificate prompt and the cert is stored in the Trusted Cert repository, but the node will not register as the error message is that comms cannot be established to it. I am able to ping the hostname from the PRI PAN which proves DNS and reachability - I can also see logs for https traffic through our Checkpoint firewalls. I have tried rebuilding the node, with the same result. Is there anything that I should be aware of or checking for to get this node into the cluster?

 

2. Regarding the Wireless Setup (Beta). Given that we are using Internal WLCs for the WAPs that are publishing the BYOD ESSID, but the service is terminated on the DMZ WLC and ISE nodes (portal, etc) the WorkFlow only seems to allow a single WLC to be configured - is it possible to use the Wireless Setup tool for this network topology or does it have to be done manually?

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎10-15-2019 11:00 PM

For first question, here is the port requirements for node communications
(not only https). I usually avoid limiting the communication between nodes
by port.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

2nd question, the wireless wizard for one WLC. Other need to be done
manually.

MikeFulstow
Level 1
Level 1
In response to Mohammed al Baqari

‎10-16-2019 03:19 PM

Hi Mohammed,

 

Thank you for responding to my queries. I am now following the Prescriptive BYOD workflow guide to build the BYOD test lab.

 

Regarding the clustering there are two DMZ PSN nodes that are passing through the same firewall and one has joined the cluster successfully but the other will not register. Both of these nodes are in in the same firewall group object, so this won't be an issue.

 

Is there anything else that you can suggest? What are the limits on ISE distributed configurations?

 

Cheers,

Mike.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents