Re: ISE Post Upgrade Test Procedure with Single Node

aarav · ‎05-18-2020

Could you please shed some light on my ISE Post upgrade test procedure.

Its an ISE 2.4 Distributed deployment with Four Nodes (2 x Admin/Mnt/Pxgrid & 2 x PSN).

I will be rebuilding just one Node to New 2.7 Deployment and making it as a New Primary Node for the New Deployment.

I want to enable all personas on this Node and test the Wired / Wireless / BYOD / Web authentication

While I have old deployment still running two PSN nodes authenticating all Network devices and end user services.

Could you please advise me on the below, as I really need an approach to test the New deployment 2.7 deployments in production, while Old deployment running 2.4 is actually serving the Network devices and end devices.

once I set up a New 2.7 primary Node running all personas and config restored from the old 2.4 deployments, what is the best way to test all the 802.1X Wired/Wireless, Trustsec , Web Authentication, and BYOD.

I was thinking of adding an Edge switch with radius pointing to the New deployment Node and as well as an autonomous AP pointing to New deployment?

And use these two devices to replicate the LAN & Wireless production devices?

Do we need a Trustsec capable switch for testing or just an Edge switch performing 802.1x is fine? But still this approach wont test the Trustsec on the New deployment?

Can I have this switch connected in the existing infrastructure as an add on the switch or the New ISE Node and these switches have to be connected directly?

Also any thoughts of testing the BYOD?

Damien Miller · ‎05-19-2020

Many ISE customers set up ISE labs for similar purposes, testing new functionality and verifying new features. I would suggest you restore the backup from your 2.4 deployment to the new 2.7 node. For consistency sake, you are running a hybrid deployment, distributed would mean the PAN and MNTs are hosted on four nodes of their own.

If you are leveraging TrustSec in the environment, then yes, I would suggest putting the WLC/AP on a TrustSec capable "lab" switch as well. You want the testing to be as thorough as possible. You can send TrustSec attributes in authentication results without enabling TrustSec functions on the network devices, they will just ignore the additional radius attributes.It's not a great test if you skip this piece and it's use in production though.

Because you want to test BYOD and webauth with this test environment, you will also have to either reuse existing certificates (if possible), or get new certificates issued that the endpoints trust.It will be important regardless of what endpoint type you are using, that you are able to trust the ISE node/certs.

On the network devices being connected to the existing infrastructure and new test infrastructure. You can have configuration for both in place, just changing the radius servers in use at the time of the test. This would include defining the radius servers, ensuring the test node is defined as a dynamic author on the wired side. When you're ready for testing on the 2.7 deployment, you would remove the old radius servers defined in the radius group or wlan config, and add the single test node. Assuming TrustSec is in use, you would want to clear the cts pac/environment data, then perform a cts refresh.

Don't forget to join the test node to AD, and if you're using TrustSec, remove the cts servers defined in the gui replacing it with just the test node.