Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3277
Views
0
Helpful
6
Replies

ISE 2.2 - Service-Template Download to switch

Frank Lothar Weber
Level 1
Level 1

‎01-23-2018 12:02 AM - edited ‎02-21-2020 10:43 AM

Hi, folks.

 

Since version 2.x ISE has the ability to mark authorization profiles as "service-templates" that can be downloaded to the switch, giving the ability to the class-maps within a configured policy to match the activation of such a service-template and react accordingly.

 

Wow, nice sentence .. !!! Here is what I mean and what I am trying to accomplish:

Service-Template defined on ISE:

service_template_ise.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Policy on ISE:ise_mab_guest_policy.jpg

 

 

 

 

 

Here comes the problem:

 

 

 

 I have tested this policy in my lab and it works perfectly, the switch downloads the service-template from ise, also downloads all parameters specified in the service template, caches and activates them ....

 

................... BUT ONLY TWICE !!!!! :-)

 

NO KIDDING !!!

This mechanism works perfectly for two (2) reauthentications, every third reauth FAILS, the template is not applied and the port ends up in an unauthorized state, without any vlan or DACL assigned to it !!!!!!

 

I have tested this behaviour on a lab switch (Cat3750X-48), with various SW version on it (15.2.2E - 15.2.4E), every version behaves the same.

I also did some debugging and I can see some differences, but I have no idea, what they might mean (see attachments)

 

Anybody got some clues ???

 

Rgs

Frank

 

 

1 person had this problem
Labels:
Preview file
27 KB
Preview file
28 KB
0 Helpful
6 Replies 6

Arne Bier
VIP
VIP

‎01-23-2018 02:30 PM

Great write up.  Sorry I don't have any advice for you but I will watch this one closely.  I thought I could use this in the WLC but probably not - it's more a switch concept.  Anyway, ISE 2.2 was probably the worst version ever - you'd be better off opening a TAC case right away. 

0 Helpful

Frank Lothar Weber
Level 1
Level 1
In response to Arne Bier

‎01-23-2018 10:16 PM

About 2.2, is that true (being the worst version )?? Would you consider going to 2.3 instead ???

 

 

Rgs

 

Frank

0 Helpful

Frank Lothar Weber
Level 1
Level 1
In response to Frank Lothar Weber

‎01-24-2018 04:28 AM

Did some more testing:

 

Installed and setup an additional ISE v2.3 P1, configured DOWNLOAD_template, necessary groups, policies, conditions and results, changed the switch config to talk to the new 2.3 ise, aaaaaaaaand:

 

Nothing changes !!!

The testclient gets authenticated and authorized successfully exactly two times, third time brings darkness !!!

 

So, it's not related to ISE !!!

Can only be the switchconfig or ISE config or IOS bug then .....

 

Rgs

Frank

 

 

0 Helpful

Arne Bier
VIP
VIP
In response to Frank Lothar Weber

‎01-24-2018 04:59 PM

It's been mentioned here and there (even by some TAC engineers with whom I have dealt) that ISE 2.2 was pretty bad.  I am on 2.3 now and it has fixed one or two of my issues.  Since starting with ISE 2.2 in June 2017, I have raised 33 TAC cases, and 16 new bugs popped out as a result.  Yes, 16 NEW bugs. 

 

0 Helpful

Frank Lothar Weber
Level 1
Level 1
In response to Arne Bier

‎01-25-2018 01:48 AM

16 ?? Maaaaaan, that is a lot of cr.p !!!! :-)

 

Ok, I will consider moving away from 2.2 then. Have you made any experiences when taking a backup made from 2.2 and move it/restore it directly to 2.3 ??? Or did you use the upgrade bundles from 2.x to 2.3 ???

 

Rgs

Frank

0 Helpful

Arne Bier
VIP
VIP
In response to Frank Lothar Weber

‎01-28-2018 02:52 PM

I made the mistake of following with official upgrade process and I planned it for weeks.  I even tested the process in my pre-prod lab.  The URT ran clean in both cases, and the Primary PAN upgraded in both environments.  But after that I got stuck.  The remaining nodes that I tried to upgrade all had the same end result: they self- destructed!  Yes.  After reboot into ISE 2.3, while processes were starting up, the file system eventually filled to 100%.  The node was stuck. This happened to all of them.  So I have up and deleted the VM's and rebuilt them (1 x PAN, 2 x MnT, 4 PSN's - what a disaster). I lost my licensing files because the UDI changes when you have a new VM. SO I switched to Smart Licensing half way through.  That doesn't work yet because Smart Licensing does work through an authenticated Proxy (that's one of my 33 TAC cases and 1 bug :-)

What I recommend (and apparently everyone else was doing this already) is to NOT upgrade a deployment - ever!!  It's broken. If it works for you then you're probably lucky.

Best advice is (if you're running VM's) is to

rename your existing VM's in vSphere with some suffix like "_BACKUP"

create a new VM for each existing node and give it the appropriate name (like "ise001" etc.)

Install ISE 2.3 on each node - don't run setup yet

Then shut down Standby PAN and run setup on the appropriate new VM.  Restore the PAN backup to that node.  Then promote to primary.  Bingo! You have created a new deployment with your first 2.3 node.

Shut down a MnT node and run setup on another VM. Register this node as a MnT in your 2.3 deployment. 

Do the rest of the nodes.  Your 2.2 deployment will eventually be left with one man standing (PAN) and then kill that one off too. 

You're done

Last task is to license the new deployment (either with traditional or Smart)

Oh, and apply patch 2.

0 Helpful
Customers Also Viewed These Support Documents