Solved: Migrating pxGrid-PassiveID service from standalone to distributed environment in ISE

jasonyeap · ‎05-26-2021

Hi, am planning to shift my pxGrid service (Passive authentication for FMC) from one of my existing VM to new distributed appliance environment.

Setup:

Existing - 1 single node (cater all the roles)
New - 7 nodes
- 1 x PAN (P) & MNT (S)
- 1 x PAN (S) & MNT (P)
- 5 x PSN

My plan is to enable pxGrid service in one of the PSN node only.

My question as below:

- In my FMC, do I require to add my PAN/MNT? Or just the pxGrid node subscriber

- For ports requirement > link , do I need to enable port service for other nodes, even only one node using the pxGrid service (attached my firewall port requirement)

lrojaslo · ‎05-26-2021

it is not required to be enabled on MNT (requires port 8910 communication with FMC), just PSN Pxgrid node.

Things to consider:

- Confirm version support between ISE / FMC

- You might consider having a second Pxgrid node for redundancy.

- Just follow the config guide and you should be fine.

View solution in original post

lrojaslo · ‎05-26-2021

For pxgrid with FMC, you will need to have 1 pxgrid controller (pxgrid node) and also MNT node communication to perform bulk downloads.

Ports need to be open for Pxgrid node and MNT only.

jasonyeap · ‎05-26-2021

Hi Irojaslo,

For pxGrid service enablement:

- If I were to enable on a PSN node, do primary & secondary MNT needs to enable the service?

For ports required:

- Do I need to include both primary & secondary MNT?

- Any best practice?

7 nodes in new environment

1 x PAN (P) & MNT (S)
1 x PAN (S) & MNT (P)
5 x PSN

lrojaslo · ‎05-26-2021

it is not required to be enabled on MNT (requires port 8910 communication with FMC), just PSN Pxgrid node.

Things to consider:

- Confirm version support between ISE / FMC

- You might consider having a second Pxgrid node for redundancy.

- Just follow the config guide and you should be fine.