11-27-2018 03:21 AM
Hi Experts,
We ordered around seven ISE SNS 3595 devices.
My question is does they come with pre-installed ISE software ??
ISE installation is a time consuming process and i want to be prepared if they don't come with pre-installed software.
Please let me know what is the software on those appliances & if pre-installed what will be the default values:
IP, username/password?
Solved! Go to Solution.
11-27-2018 04:04 AM
Any hardware orders since April 2018 will be shipped with ISE 2.4 (unpatched). You could apply patch 4 directly on all of the appliances. Some people have reported issues with patch 4 (in multi-forest AD deployments). In that case use patch 3
There is no default password. When you power up the appliance and the OS boots up, you will be greeted with the 'setup' wizard. Read the manuals! Be prepared to enter all the details there and then (hostname, IP address, mask, gateway, DNS, NTP and of course, the admin password). Is all of this is foreign to you then I highly recommend you start reading the Installation Guide because the setup wizard was the easy part :-)
11-27-2018 04:04 AM
Any hardware orders since April 2018 will be shipped with ISE 2.4 (unpatched). You could apply patch 4 directly on all of the appliances. Some people have reported issues with patch 4 (in multi-forest AD deployments). In that case use patch 3
There is no default password. When you power up the appliance and the OS boots up, you will be greeted with the 'setup' wizard. Read the manuals! Be prepared to enter all the details there and then (hostname, IP address, mask, gateway, DNS, NTP and of course, the admin password). Is all of this is foreign to you then I highly recommend you start reading the Installation Guide because the setup wizard was the easy part :-)
11-27-2018 04:11 AM
Hi Arne,
Thanks for your inputs.
I know about all these and setup few ISE appliances on VM, but i was not aware SNS appliances whether they come with ISE software.
Thank you for the information, i just need to go to patch 3 to avoid this bug.
11-27-2018 04:19 AM - edited 11-27-2018 04:19 AM
Fair comment - another thing to consider with hardware appliances is that you have the CIMC to configure. I would recommend putting that CIMC on a separate VLAN and use the dedicated management port. And that in itself means configuring an IP address for the CIMC, setting an initial password etc (when you first connect to CIMC it will force you to set the password). Again, this is something you don't see in VM deployments.
Patch 4 has been fine for me in many deployments. Luckily I have not had customers running patch 4 AND having multiple forests. Note that a forest != domain. I have customers with many domains and running patch 4. Make sure you find out whether customer has multiple FORESTS :-)
There is also a new CIMC version update that can be applied. Don't use the CIMC firmware from the UCS downloads page!!! Only use the code from the ISE downloads page (the CIMC is specially signed to allow UEFI Secure Boot of the OS that ISE runs on).
I generally don't mess around with the CIMC versions because it can fry the appliance if things go wrong (like a BIOS update). But others have done it - you may want to factor this into your time budget as well. I normally configure the CIMC to send SNMP traps, syslog and also set the NTP. it allows better management of the server itself.
11-27-2018 04:55 AM
Hi Arne,
Thanks for your time and inputs on this !!
I have few doubts which i wanted to clarify regarding ISE solution:
1. Is there any plans to introduce separate management port for ISE?
because the issue is if i want to separate the (management) and (AAA, profiling, posture) traffic it is very tedious.
2. Does ISE support Multi-Forest level trust ? For example, we have Forest A and Forest B and there is a xyz domain in Forest B. Now ISE joined abc domain in Forest A. Now can ISE query xyz domain(Forest B) when there is a trust between forest A & B ??
Thank you !!
11-27-2018 12:08 PM
You can send a product enhancement request for that separate management port. But in truth the eth0 is that port already. The trouble is that if you activate additional Ethernet ports then by default radius and tacacs will listen on this ports whether you want it or not. But ssh and snmp etc (management) is only on eth0. It’s an ipfilter firewall rule in the OS to prevent management on any other port.
The best separation you can do is to assign non eth0 interfaces to web portals and for profiling (eg send all you netflow to eth2 or whatever). I suppose you could try engineer a way to force your radius traffic to a non eth0 interface. And same with tacacs. Then you’re left with a self-made dedicated management port. Not sure if that is worth the hassle though.
Mad for you second question I am almost sure it can. I am still not 100% comfortable with the exact definition of a forest vs a domain. But I have a customer with many forests but each forest only contains one domain. They have 2way trust all over the place and it seems to work ok.
11-28-2018 12:41 AM
Hi Arne,
Agree with you !! There is a bit of hassle if i want to separate the management traffic. If ISE is to behave the way it is then we can't do anything. During design & deployment we usually get request from Security experts/panels to separate the traffic and we usually convince them that its the same interface which has both and should be kept behind firewall to control the traffic.
On second question, i don't see in ISE 2.4 configuration guide that it supports Multi-Forest but ISE supports single Forest Multi-Domain and domain-level trust. Hopefully it can support in future.
Thanks.
Shivaprasad Gudsi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide