Re: Cisco Identity Service Engine (ISE) in AWS cloud

adamscottmaster2013 · ‎01-06-2023

I am currently running Cisco ISE version 3.0 (running on SNS-3655) and version 3.1 (running on SNS-3415). There is a push to move this to AWS cloud in order to reduce the data center footprint. Anyone running Cisco ISE in AWS cloud can share your experience here? Both the Pros and Cons. TIA

ahollifield · ‎01-06-2023

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/m_ISEaaS.html

Be sure to check out the Known Limitations section. Also make sure your transport between the NADs and AWS in encrypted (RADIUS DTLS, IPSec, etc). RADIUS IS NOT a secure protocol and should never be sent over the public internet. Make sure your AWS security groups / firewalls do not expose ISE to the public internet.

adamscottmaster2013 · ‎01-06-2023

@ahollifield : Thanks. Look like version 3.2 is also now available on AWS market space.

adamscottmaster2013 · ‎01-10-2023

@ahollifield : I don't see ISE version 3.1 in AWS marketplace, only version 3.2. Any ideas why? Especially when version 3.1 is the preferred release. Furthermore, the document you provided is for version 3.1 and yet, I can't find version 3.1 in AWS.

Marcelo Morais · ‎01-10-2023

Hi @adamscottmaster2013 ,

please take a look at: Cisco ISE on Cloud and also take a look at: Installing ISE 3.1 on AWS.

Note: ISE 3.2 is natively available on the Cloud Platforms: AWS, Azure Cloud and OCI.

Hope this helps !!!

adamscottmaster2013 · ‎01-10-2023

@Marcelo Morais : I guess you didn't answer my question. Where can I find Cisco 3.1 on AWS? I am NOT seeing ISE 3.1 in AWS, only 3.2

Marcelo Morais · ‎01-10-2023

Hi @adamscottmaster2013 ,

you are unable to check the ISE 3.1 P1 on AWS ?

Regards

adamscottmaster2013 · ‎01-10-2023

Hi @Marcelo Morais: I only see version 3.2 in AWS marketplace. See the attached screenshot

MR203 · ‎07-11-2024

Do i need device admin license for AWS if selling Cisco licenses through CCW?

ahollifield · ‎07-11-2024

Only if that node is going to be performing TACACS+

adamscottmaster2013 · ‎01-18-2023

Can anyone from Cisco explain why ISE version 3.1 is not available in AWS marketplace? I guess not too many people is using Cisco ISE in AWS, no?

Greg Gibbs · ‎01-19-2023

Both ISE 3.1 (patch1) and 3.2 are available for deployment on AWS for multiple regions. I have a customer that is deploying multiple 3.1 EC2 instances in both the US-East1 and AP-SE2 regions at the moment.

See the documentation for how to Subscribe and install AWS instances here:
https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEaaS.html#task_psg_m1m_kqb

When building the CloudFormation template, you can specify which ISE version you want to deploy. If you prefer to use APIs or IaC tools instead of CF, you can use this same process to find the AMI ID for your preferred ISE version and region.

Example:

adamscottmaster2013 · ‎01-25-2023

I am finally able to launch ISE in AWS but only with version 3.2. I launched both ISE version 3.1 patch1 and version 3.2 using the exact same method. I am able to ssh into ISE version 3.2 but not version 3.1 Patch1. I got this error whenever I attempted to ssh into ISE version 3.1 Patch 1:

ssh -i ISE_key iseadmin@192.168.1.1
iseadmin@192.168.1.1: Permission denied (publickey).

No issue whatsoever with ISE 3.2 using the same identical key.

Any ideas?

Greg Gibbs · ‎01-26-2023

ISE 3.1 and earlier use the default CLI/GUI administrator account of 'admin'. This was only changed to 'iseadmin' from ISE 3.2.

adamscottmaster2013 · ‎01-31-2023

@Greg Gibbs: Yes, I did use the "admin" in 3.1 patch-1 and it still fails. see below:

ssh -i AWS_key_2023 admin@10.x.x.x
Permission denied (publickey).

I use the exact same method for ISE 3.2 and it works without issues with "iseadmin"

ssh -i AWS_key_2023 iseadmin@10.x.x.x