cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15073
Views
56
Helpful
17
Replies

ISE smart license with CSSM on-prem (v8-202006)

HOLGER ALIX
Level 1
Level 1

we use ISE 2.4 (and 2.6) with Smart license
According to the ISE Admin Guide the "Cisco Smart Software Manager satellite" with Smart Callhome is not supported. But there is an option "transport gateway" which is supported.
The newer CSSM satellites (version 8-202006) (now called CSSM on-prem) offer 2 different URLs a) "SmartCallhome" (for legacy products) and b) "smart transport
But I can't find any hint if this method "Smart Transport" can also make the "CSSM on-prem" usable for the ISE.

Has anyone tried or read this?

 

1 Accepted Solution

Accepted Solutions

See a similar community post discussion here.

No version of ISE currently supports CSSM satellite (on-prem).

View solution in original post

17 Replies 17

poongarg
Cisco Employee
Cisco Employee
I believe both the options are same. On ISE, we need to select the checkbox transport gateway and on CSSM on-prem need to use Smart Transport option.
However I have not tested the same.

rkazmierczak
Level 1
Level 1

I wonder if anyone else knows the answer to this. it's certainly a bit confusing (admin guide vs contextual help). Does ISE support CSSM on-prem ?

 

 

See a similar community post discussion here.

No version of ISE currently supports CSSM satellite (on-prem).

Is this still the case?

We are running ISE v3.0, and according to the ISE docs this is supposed to work:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/m_Licensing30.html#concept_lnz_tmr_h4b

However, it specifically says there is a dropdown option called "SSM On-Prem Server" for the 'Connection Method'.

EDIT: Looking at our ISE right now, with the latest ISE patch DOES have this option. The original release of ISE v3.0 DOES NOT have this dropdown option.

 

That would be correct, it's supported as of 3.0 patch 2. This was an old thread so at the time Greg answered this it was accurate. 

"New Features in Cisco ISE, Release 3.0 - Cumulative Patch 2

Licensing Methods for Air-Gapped Networks

Cisco ISE Release 3.0 Patch 2 supports the following licensing solution for air-gapped networks:

  • Smart Software Manager (SSM) On-Prem Connection Method

    SSM On-Prem is a connection method in which you configure an SSM On-Prem server that manages smart licensing in your Cisco ISE-enabled network. With this connection method, Cisco ISE does not require a persistent connection to the Internet."

Can we get the details of which ports are required?

 

Our ISE is currently saying it can't communicate to the On-Prem SSM server. Trying to determine if it is a port issue, or maybe it is because we don't have an SSL cert installed on either ISE or SSM yet.

 

Hi @DMel,

 please take a look at the following link: Cisco SSM On-Prem License Server. search for SSM On-Prem - Communication Channels and Ports.

"...
Cisco Products communicate with SSM On-Prem using the same protocol.
Protocol:
 User Interface: HTTPS (8443) Only
 Products: HTTP(80)/HTTPS(443)
 CSSM: HTTPS(443)
  Sync:
   api.cisco.com (old)
   swapi.cisco.com (new)
   Account Registration:
   cloudsso.cisco.com
..."

 

Hope this helps !!!

 

 

 

With the latest SP (ISE 2.6 SP10) it works perfectly fine - 
- but Regardless of the errormessage ise brings you (Invalid Token)  Add the Certificate from the SSM Server as Trusted-Certificate in ISE (and trust as Cisco Services), and retry the operation.... (thank you Cisco for your awsame errormessages).

It took some time to figure it out - but it works. 

From what I've read, this has been supported since 3.0 patch 2. However, I've been unable to get it working in my environment. We're running 3.0 patch 5 and using version 8-202102 of the SSM. I've used the FQDN that is in the CN for the SSM's certificate while trying to configure thge registration in ISE, I've tried the IP, and it just says connection error to the server. I've verified DNS resolves from ISE. I'm able to ping the IP and FQDN of my SSM from ISE (they're on the same /24 subnet) and still can't get it working. If anyone has ideas on what else I could look at to get this working, I'd appreciate it. 

pan
Cisco Employee
Cisco Employee

Cisco ISE Release 3.0 Patch 2 supports the following licensing solution for air-gapped networks:

  • Smart Software Manager (SSM) On-Prem Connection Method

    SSM On-Prem is a connection method in which you configure an SSM On-Prem server that manages smart licensing in your Cisco ISE-enabled network. With this connection method, Cisco ISE does not require a persistent connection to the Internet.

Finally got this to work. My issue was something with the SSL cert we have on our SSM Server.

Hi, 

can you tell me the solution? Same problem here, I guess its because of the SSL cert

Kind regards

As stated above, you have to be running ISE 3.0sp2 or above. Cisco just introduced this functionality in that update.

 

Make sure you have the SSM on-prem SSL CA cert installed on the ISE installation, so that ISE can accept the SSL Chain that SSM uses.

 

And from my understanding, of course, you have to have port 443 open from ISE to SSM.

jan.murin
Level 1
Level 1

Hi everyone,
I was able to register ISE server (Version 3.0 patch 4) to On-Prem SSM server (Release 8-202108).
On ISE server I have used the SSM On-Prem server connection method and didn't need to do anything else.

On the On-Prem SSM server I have to change the CN of the certificate (Admin Workspave > Security > Certificates).
After that I have started the full synchronization. After the synchronization the certificate was regenerated (you can check it using this link: https://{your_SSM_hostname/IP}/Transportgateway/services/DeviceRequestHandler)
After that I just started the registration process on ISE.

Hope it helps someone