Adding PSN to our ISE deployment-(Convert of Small to medium deploymen

titusroz03 · ‎10-16-2024

Dear All,

In our ISE deployment we have

2 Nodes in US( US-01 with PAN,MNT,PSN,PXGRID and US-02 with PSN)

2 Nodes in UK( UK-01 with PAN,MNT,PSN,PXGRID and UK-02 with PSN)

For PAN failover we opt the US-01 as primary and UK-01 as secondary. This model was deployed before I joined and I assume that it is still in small deployment and the 2 PSNs are not serving the Auth sessions(Correct me if my assumption is wrong).

Now we are planning to add one PSN in the HK and it will be a dedicated only for HK users ,since they have to rely on US-ISE for Network access.

Just want to check for below:

To bring HK-ISE under existing node group as PSN do we need to convert the above setup from Small to medium size,by removing the PSN persona from US-01 and UK-01 and having it on dedicated nodes(US-02 and UK-02 and HK)

or

Can it be achieved just by adding HK-ISE(PSN), just for load sharing and continue in the small deployment itself by having HK-ISE as primary and US-01 as secondary.

And I have questions on installing certificates:

To install the root CA and System certs, can I export it from existing ISE nodes.

Aref Alsouqi · ‎10-16-2024

You don't have to change anything, you just add the extra PSN and your deployment will still be considered a small deployment.

Performance and Scalability Guide for Cisco Identity Services Engine - Cisco

With regard to the authentication certificate, you would need to issue a new certificate if you are using sharing it across the node because the new PSN FQDN and IP address would need to be added to the existing certificate that is already installed on US-01 and UK-01. However, another option would be to issue a new certificate only for the new PSN and leaving the shared one across US-01 and UK-01 as is. The root CA certificate will be shared by the PAN to the new PSN, so you don't have to do anything for that.

titusroz03 · ‎10-16-2024

Thanks for the respone.

To conclude I can add the PSN in existing node group right. And I can point my WLC and TACACs in HK region to this new HK PSN and it will authenticate.- Correct me if this is wrong.

I am clear about your comment on system certificate ,but for root Cert do I need to install it on the new node before adding the it to node group or Will it be automatically added once I register the node..?

Also could you share a document for Smart licensing on the new node.

Aref Alsouqi · ‎10-17-2024

You are welcome. You are a 100% right, you can add the new PSN in HK to the existing deployment and then after you register it to the existing deployment you can change its Persona (role) to be only PSN and Device administration (TACACS+). However, as a best practice you should configure the WLC in HK to point to the new PSN in HK and to the US-01 as a secondary RADIUS and TACACS node, this will allow HK WLC to failover to the US-01 node if something happens with HK PSN.

Regarding the root CA certificate, you can either import it into HK PSN before you register it, or you can ignore that step and go ahead and register it to the existing deployment. During the registration of the new PSN you will get a pop up message asking you to confirm the validity of the HK PSN certificate, once confirmed, the registration will be completed. This confirmation step is required to authorize the trust of HK PSN self-signed certificate to the existing deployment. Once the registration is complete all the trusted certificates will be automatically shared with the new PSN.

You don't have to do anything for smart licensing on the existing ISE deployment, that is a piece of work that the PAN will take care of during the next sync with your smart account. However, you need to make sure that you have an available license for the new PSN already allocated into your smart account.

Aref Alsouqi · ‎10-17-2024

I forgot to mention another thing, you would need to connect HK PSN to your AD if that is required. So you need to go to the existing Active Directory join in ISE and join the new PSN to your AD. As a best practice you should use a service account credentials and select to store credentials into ISE during this process, otherwise if you don't select that option AD profiling attributes would not be fully parsed. Check out this link please for the required permissions of the user that will be used to join the new PSN to AD:

Integrate AD for ISE GUI and CLI Log in - Cisco

titusroz03 · ‎10-22-2024

Thanks again for the Information you've provided. I have brought the ISE node into MGMT and while binding the system certs it didn't allowed me until I had the Root Cert uploaded which was singed by trusted CA. But while binding the PXGRID cert on the respective CSR it throws with an error "Certificate for pxGrid must contain both client and server authentication in the Extended Key Usage (EKU) extension". Not sure if I am missing something here.. Any clues..?

Then I am planning for the AD migration as mentioned above, for this do I need to do this Integration procedure on the HK PSN before adding it to the node group..? Or can I replicate from PAN

Aref Alsouqi · ‎10-22-2024

You are welcome. Yes pxGrid cert has some specific requirements, please take a look at the end of this post of mine that shows you the parameters needed for pxGrid certificate:

Integrate FMC with ISE using pxGrid | Blue Network Security

After the completion of adding HK PSN, you can then go from the primary PAN console and join HK PSN to your AD.