cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

123
Views
1
Helpful
3
Replies
Highlighted
Cisco Employee

ISE SAML/P2V/CA Questions

  1. Physical to Virtual process – How do we handle licensing? Is it as simple as just running backup / restore?
  2. Does SAML feature come in Base?
  3. Need to verify if ISE running as a CA can provide certs to IP Phones?
3 REPLIES 3
Highlighted
Cisco Employee

Re: ISE SAML/P2V/CA Questions

1. Yes. We may also register the new ISE node as a 2nd ISE to the existing deployment to get a copy of the CFG and then move it to the proper persona. Or, de-register it afterwards, if seeding for a new deployment. If for a new deployment and using the traditional licensing, then we need to re-host the licenses.

2. Yes, SAML IdP can be used for ISE guest services, such as Sponosor and Guest portals, so it available in Base.

3. See CSCve71881

Highlighted
Cisco Employee

Re: ISE SAML/P2V/CA Questions

1. If we already have an HA design with 2 ISE Nodes, is the process to remove the current 2nd ISE nodes and replace with the new VM's for config sync?  Also, is the the recommended/best practice for this conversion?  Is backup/restore not a good option?

2. I can see how SAML is in Base for Guest Services but would we also need Plus/PXGrid for SAML to 3rd Party IdP's?

3. Not a lot of information on CSCve71881.  Looks like an issue with provisioning SCEP to IP Phones? Any idea of when this will get fixed?

Highlighted
Cisco Employee

Re: ISE SAML/P2V/CA Questions

1. Since registering an ISE node to an existing deployment will import a copy of the current CFG, there is no need to perform a backup and restore unless the new ISE node is to serve as M&T.

2. SAML IdP is always 3rd party. No, it does not use pxGrid.

3. The defect is an enhancement so I would not expect it addressed soon. Please bring your business case to ISE PM team. On the other hand, have you attempted it yourself by manually generating the key+cert pair at ISE certificate provisioning portal? I can't test it because of no such setup.