Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1840
Views
5
Helpful
2
Replies

Add 2 Separate Cisco ISE Deployment Configurations into a New Deployment

Go to solution
jj2048
Level 1
Level 1

‎07-10-2020 06:02 PM - edited ‎07-11-2020 09:51 PM

Objective:
- To combine configurations of two separate (2.3) ISE deployment into a (2.7) new deployment.
- To refresh the old deployments (2 existing deployment)

Overview:
There are two separate deployments, and the new deployment must have both of the configurations of the two separate deployments. Each deployment has a different domain services and internal certificates.

Configurations: Policies, Profiles, Network devices, User accounts and etc..

New Deployment: Located on 2 different sites, and will use new IP addresses and Hostnames, and latest versions.

Question(s):

1. Are there options to merge/add 2 different deployment configurations into the new deployment?
(Update*)A: No

2. Is it possible to make a 2 node deployment with different domain, but both nodes are reachable from the 2 DNS. (Will try this on lab for the meantime)
(Update*)A: Yes

Follow up Question(s):

3. Should I import the 2nd Site's Certificate chain as well on the Primary Node.

- I've noticed that after deploying it as Primary and secondary, the trusted certificates did not contain the ISEPAN-CORP02's trusted certificate chain I imported before it became as secondary.

4. Will this setup pose any problems in the future? (Two separate domained ISEPAN on each site deployed as Primary and Secondary)

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-11-2020 02:40 PM - edited ‎07-11-2020 02:41 PM

1. Are there options to merge/add 2 different deployment configurations into the new deployment?

No. You need manually add the configurations from the 2nd to the 1st.

2. Is it possible to make a 2 node deployment with different domain, but both nodes are reachable from the 2 DNS. (Will try this on lab for the meantime)

This seems about two DNS domains. Yes, we may have multiple DNS domains. However, the DNS servers configured in ISE needs able to resolve both/all these DNS domains.

In case multiple MS AD domains, ISE may use one single AD join point if the AD domains have 2-way trusts. Else, ISE may use two AD join points and one for each AD domain. Still, the DNS servers configured in ISE need able to resolve both AD domains.

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-11-2020 02:40 PM - edited ‎07-11-2020 02:41 PM

1. Are there options to merge/add 2 different deployment configurations into the new deployment?

No. You need manually add the configurations from the 2nd to the 1st.

2. Is it possible to make a 2 node deployment with different domain, but both nodes are reachable from the 2 DNS. (Will try this on lab for the meantime)

This seems about two DNS domains. Yes, we may have multiple DNS domains. However, the DNS servers configured in ISE needs able to resolve both/all these DNS domains.

In case multiple MS AD domains, ISE may use one single AD join point if the AD domains have 2-way trusts. Else, ISE may use two AD join points and one for each AD domain. Still, the DNS servers configured in ISE need able to resolve both AD domains.

Go to solution
jj2048
Level 1
Level 1
In response to hslai

‎07-11-2020 09:20 PM

Hi, hslai.

Appreciate the response.

Question 1 is answered and I accept it.
Question 2 below is the environment I've set up on our lab.
A: Yes, we can deploy ISE as primary and secondary under two domains, as long as it is resolvable.

Environment:

2 Sites with 2 Different domains
Corporate 1 and Corporate 2
Both have two tier PKI and each of their ISE in the beginning as standalone has a certificate signed by each of corporate's SubCA respectively.
ISEPAN-CORP01 and ISEPAN-CORP02 both has dns of each site, and are resolvable either way.

Deployment:

I've imported each PAN their respective certificate chain on the trusted certificate.
I've successfully deployed the PANs as primary and secondary node under two different domains.

Follow up Question:

3. Should I import the 2nd Site's Certificate chain as well on the Primary Node.

- I've noticed that after deploying it as Primary and secondary, the trusted certificates did not contain the ISEPAN-CORP02's trusted certificate chain I imported before it became as secondary.

4. Will this setup pose any problems in the future? (Two separate domained ISEPAN on each site deployed as Primary and Secondary)
Thank you.

0 Helpful
Customers Also Viewed These Support Documents