cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3063
Views
10
Helpful
5
Replies

ISE RSA integration

Asif Akash
Cisco Employee
Cisco Employee

Greetings, 

 

I am working on a multiple node RSA server integration issue. There are 6 nodes in the deployment: 2X admin nodes, 2X monitoring nodes and 2X PSN nodes. None of the nodes has other persona enabled. Meaning monitoring node is a pure monitoring node and does not have either Admin nor PSN persona enabled. (Please attached) 

 

During integration process I found that the, the RSA config file (sdconf.rec) is getting propagated to all nodes in the deployment. However, under "RSA Instance Files" option the monitoring nodes are not showing as added nodes. (Please see attached). 

 

According to the documentation: 

 

“RSA Agent Authentication Against the RSA SecurID Server

After the sdconf.rec file is installed on all Cisco ISE servers, the RSA agent module initializes, and authentication with RSA-generated credentials proceeds on each of the Cisco ISE servers. After the agent on each of the Cisco ISE servers in a deployment has successfully authenticated, the RSA server and the agent module together download the securid file. This file resides in the Cisco ISE file system and is in a well-known place defined by the RSA agent.”

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01101.html#ID1516

 

Notice the documentation where it says, each nodes are integrated. Neither the lab nor the customer's deployment can see the monitoring nodes as integrated under the 'RSA instance Files" option. Hence it is making resetting of the option or configuration file update difficult. 

 

Please let me know if this is a defect or a limitation that monitoring node (since it does not have session management capability) cant be integrated with RSA. 

 

1 Accepted Solution

Accepted Solutions

I would suggest to go ahead and log a bug. I found an internal bug in ISE 1.0/1.1 to remove inline posture nodes from the list and, consequently, limit the listing to admin and PSN nodes only.

View solution in original post

5 Replies 5

howon
Cisco Employee
Cisco Employee

MnT does not need to integrate with RSA as it doesn't process the authentication. Are you having issues with authenticating users or is this just needed for clarification of the document?

Hi HoWon,

 

Essentially the initial integration works with the MNT nodes, its after the initial integration, the MNT nodes does not show up under the "RSA instance files".

 

We know that AD join points process can integrate the MNT nodes and allows access to the GUI using the AD credentials to other secondary nodes.

 

Customer's intention is to use RSA server for the GUI log in access. not having MNT in the RSA instance file option is making the login to the MNT nodes difficult.

 

With regards to documentation, it does say, "each node" will be integrated.

 

Please feel free reply in case you need any clarification.

OK, so you want to use RSA for admin login to all the nodes and MnT nodes are not working as expected while Admin & PSN works? I suggest temporarily adding PSN persona to the MnT node to see if you can get the files show up. Once file is shown, then remove the PSN persona from MnT. Whether the workaround works or not it looks to be a defect, I suggest working with TAC so it can be looked into.

Hi HoWon,
Thanks for the reply. I will test that and let you know.

I would suggest to go ahead and log a bug. I found an internal bug in ISE 1.0/1.1 to remove inline posture nodes from the list and, consequently, limit the listing to admin and PSN nodes only.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: