Re: ISE Personas Internet Access

orkhan.rustamli.96 · ‎01-30-2019

Hello everyone,

I have distributed deployment of ISE with 2 PAN (Active-Standby) and 2 PSN. I have couple of but quite easy questions about internet access of ISE nodes.

1)Do PAN nodes have to have constant Internet access? I think it must because of smart license.

2)Do PSN nodes have to have Internet access? I predict no because as i know they take license information from PAN

Thanks in advance!

Damien Miller · ‎01-30-2019

Beyond smart licensing, ISE also uses internet access on the PAN for the posture feed, and the profiler feed. These are identified on the older ISE port map documentation located here.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

You can sign up for offline feed updates at this site, http://ise.cisco.com/partner. As for smart licensing, ISE can still use traditional PAK's which lets you avoid smart licensing on it. You can potentially run without internet access but it involves manual updates.

orkhan.rustamli.96 · ‎01-30-2019

Thank you, for your quick response. However, with PSNs, they do not require any Internet Access.

Damien Miller · ‎01-30-2019

No internet access is needed for a dedicated psn mode.

orkhan.rustamli.96 · ‎01-30-2019

Sorry, but, i did not understand your answer. In my case, I have 2 dedicated PSN nodes. So do they require internet? If yes why?

ldanny · ‎01-30-2019

Just to clarify ,

There are a couple of types of models for licensing.

One is traditional licensing using PAK file which would not need Internet access to manage.

The other model is smart licensing where you would have a Cisco account to monitor the type of licenses you have purchased , in this case you would need Internet Access.

Heres a document explaining the models as well as pros and cons.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

"Licenses are uploaded to the Primary PAN and propagated to the other Cisco ISE nodes in the cluster. Licenses are centrally managed by the PAN. If you have two PANs deployed in a high-availability pair, obtain a license based on the hardware IDs (UIDs) of both the Primary and Secondary PANs. After you obtain the license, add it only to the Primary PAN. The license gets replicated to the Secondary PAN".

orkhan.rustamli.96 · ‎01-31-2019

Thank you, for your response. I am using Smart Licensing so therefore i have opened internet access for license and feeds. What i got from your answer that i am right on my opinion for PSN nodes. Becuase they get everything replciated from PAN nodes they do not need Internet access at all. Am i right?

ldanny · ‎01-31-2019

Yes that is correct , only your PAN would need Internet access for smart licensing.

Arne Bier · ‎01-31-2019

Hi @orkhan.rustamli.96

I think the responses so far have covered everything - but I wanted to add from my own experience one case where the PSN's do have to have internet access - it might not be immediately obvious - but it's when you have a Guest Sponsor portal and you wish to send SMS's to the guest account holders. The SMS is initated from the PSN nodes (e.g. https or REST API call). This might be a corner case, but it's one instance where I had to have the PSN be able to route to the internet.

cheers