cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

381
Views
25
Helpful
8
Replies
Anilvnair
Beginner

ISE (SNS-3695) Cluster on-boarding steps

Can you please assist to provide high-level SNS-3695 appliance onboarding steps? I got ISE 3.0 shipped along with appliances.

 

I want to understand the sequential steps to be followed. I randomly put a few steps below, and I request your guidance and a few reference guides, and sequential order of approach to onboard these nodes.

 

1. ISE 3.0 Patch install

2. Migrate from 3.0 to 3.1( unable to see existing patch version running on new nodes)

3. License Migration from 2.X to 3.X- Can both ISE 2.x and 3.X nodes can consume ISE smart licenses?

4. ISE node registration cert, migrate from self-signed to Public PKI cert

5 Create EAP and other Portal PKI cert

 

1 ACCEPTED SOLUTION

Accepted Solutions
ahollifield
Beginner

Start here: Cisco ISE & NAC Resources - Cisco Community

 

Specifically with the admin and installation guides.  Step 1 should also be to re-image the 3695s with the 3.1 ISO as 3.1 is now the suggested release.  

 

Yes multiple ISE deployments can consume from the same Smart Account / Virtual Account.  

View solution in original post

8 REPLIES 8
ahollifield
Beginner

Start here: Cisco ISE & NAC Resources - Cisco Community

 

Specifically with the admin and installation guides.  Step 1 should also be to re-image the 3695s with the 3.1 ISO as 3.1 is now the suggested release.  

 

Yes multiple ISE deployments can consume from the same Smart Account / Virtual Account.  

Mike.Cifelli
VIP Advisor

Definitely use the link provided by @ahollifield 

 

3. License Migration from 2.X to 3.X- Can both ISE 2.x and 3.X nodes can consume ISE smart licenses?

-Yes. Note that the license model between 2.x and 3.x has changed.  Any 2.x model type licenses will require TAC to migrate.  Have a peek here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html

 

Marcelo Morais
VIP Advisor

Hi @Anilvnair ,

 I would like to add the following points:

. ISE 3.1 is the Suggested Release:

a. Patch 3 is the latest patch, but very new: May 2nd

b. Patch 2 is a Deferred Release

c. Patch 1 (Dec 7th), you also need to install the LOG4J2-FIX-3.1PATCH1

Note: in Cisco ISE Release 3.1, EAP-TLS Authentication might fail for certificates using TPM module on Windows 10. This is an issue with the TPM module and not with Cisco ISE.

. ISE 3.0

a. Patch 5 is the latest patch (Jan 31th), for this patch you don't need to install the LOG4J2-FIX-2.4-3.0

 

Hope this helps !!!

Arne Bier
VIP Advisor

@Marcelo Morais - regarding the comment "Note: in Cisco ISE Release 3.1EAP-TLS Authentication might fail for certificates using TPM module on Windows 10. This is an issue with the TPM module and not with Cisco ISE." - how is this ISE 3.1 specific? Do you have a bug ID or some other links for this issue?

 

thanks

Hi @Arne Bier ,

 please take a look at ISE 3.1 Release Notes., search for EAP-TLS Authentication Might Fail for Certificates Using TPM Module., and CSCwb19635 ISE 3.1 EAP-TLS authentications might fail with certificates installed in TPM module.
TPM Module.png

 

Regards

thanks @Marcelo Morais  - charming, isn't it? As if 802.1X wasn't tricky enough

 

I am not sure why this is listed under ISE 3.1 only - does that mean it was only found by a customer running ISE 3.1, and would not affect other ISE implementations?  The way I read that Release Note, it sounds very much 3.1 specific. Or did I miss something?

Hi @Arne Bier ,

 I agree with you, not only it looks like a 3.1 specific in the ISE 3.1 Release Notes, but also at the CSCwb19635 Conditions description: "... ISE 3.1+ ...".

 Please take a closer look to: Windows 10 TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS making trouble.

" ... By disabling RSA PSS on the Client, the Client uses another cipher to sign the packet and then it works. ... "

" ...Keep in mind that this is only a workaround and should not be used as a final solution. We are actually still working with Microsoft on a solution. It's still not 100% clear if it's the TPM that is making the issue or if it is the OS. ... "

Maybe versions of ISE earlier than 3.1 handle RPA PSS differently than ISE 3.1.

Hi @Arne Bier ,

 take a look at the following post: TLS Handshake fail ISE 3.1

" ... Opened a TAC Case and it seems that 3.1 using a different SSL library/version. In Patch 4 which should arrive in October you're able to choose the different Ciphers, ISE will use to negotiate with the Client so you can disable the RSA PSS which causes this problems... "

 

Regards