Re: ISE SAML/P2V/CA Questions

tolarosa@cisco.com · ‎05-09-2018

Physical to Virtual process – How do we handle licensing? Is it as simple as just running backup / restore?
Does SAML feature come in Base?
Need to verify if ISE running as a CA can provide certs to IP Phones?

hslai · ‎05-09-2018

1. Yes. We may also register the new ISE node as a 2nd ISE to the existing deployment to get a copy of the CFG and then move it to the proper persona. Or, de-register it afterwards, if seeding for a new deployment. If for a new deployment and using the traditional licensing, then we need to re-host the licenses.

2. Yes, SAML IdP can be used for ISE guest services, such as Sponosor and Guest portals, so it available in Base.

3. See CSCve71881

tolarosa@cisco.com · ‎05-10-2018

1. If we already have an HA design with 2 ISE Nodes, is the process to remove the current 2nd ISE nodes and replace with the new VM's for config sync? Also, is the the recommended/best practice for this conversion? Is backup/restore not a good option?

2. I can see how SAML is in Base for Guest Services but would we also need Plus/PXGrid for SAML to 3rd Party IdP's?

3. Not a lot of information on CSCve71881. Looks like an issue with provisioning SCEP to IP Phones? Any idea of when this will get fixed?

hslai · ‎05-10-2018

1. Since registering an ISE node to an existing deployment will import a copy of the current CFG, there is no need to perform a backup and restore unless the new ISE node is to serve as M&T.

2. SAML IdP is always 3rd party. No, it does not use pxGrid.

3. The defect is an enhancement so I would not expect it addressed soon. Please bring your business case to ISE PM team. On the other hand, have you attempted it yourself by manually generating the key+cert pair at ISE certificate provisioning portal? I can't test it because of no such setup.