Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
3
Replies

Migration of BYOD users from old to new ISE cluster

Go to solution
nayashai@cisco.com
Cisco Employee
Cisco Employee

‎09-21-2018 02:08 AM

Hi Team,

 

I am currently working on a project where we are migrating the BYOD users from old cluster to new cluster. We can export the endpoints from the old PAN and import to the new PAN.

 

I would like to check if we can migrate BYOD users for following method to avoid the downtime issue( without the registration process again).

 

Before migration,

 

  • Export certificate and break ISE06(PSN) node from existing cluster
  • Upgrade to version 2.4
  • Join to new cluster and import the certificate.

Thanks,

Nayab Shaik

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-21-2018 01:32 PM

If you’re not worrying about registered status and managing in my devices then you can just try the root that onboarded the BYOD device certificate and they would just connect without problems.

Not sure why you would need to even bother with the MAC addresses?

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nayashai@cisco.com

‎09-27-2018 07:59 AM

If it’s a completely new deployment then you’re going to run into problems. This is a separate certificate. There is no way to update the endpoints. They are unmanaged and you have no controls over them.

You still will need to onboard them in the new deployment regardless. Otherwise you will have no visibility of their endpoint certificates.

Is there a reason you’re sending them to a new deployment?

Why not do a split upgrade and maintain everything? Take a set of PAN/MNT/PSN update it and migrate the deployment?
https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934


View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-21-2018 01:32 PM

If you’re not worrying about registered status and managing in my devices then you can just try the root that onboarded the BYOD device certificate and they would just connect without problems.

Not sure why you would need to even bother with the MAC addresses?
0 Helpful

Go to solution
nayashai@cisco.com
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎09-27-2018 07:48 AM

Hi Jason,

 

Thanks for response.

 

How we can make sure that all the byod machines have new cluster ise root ca. Currently the byod devices have a present cluster root CA. When we make changes on NAD to point the requests to new cluster PSN, the byod device registration process kick in again. The ask is that the customer has 2500 byod devices and how can we avoid the byod registration process ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nayashai@cisco.com

‎09-27-2018 07:59 AM

If it’s a completely new deployment then you’re going to run into problems. This is a separate certificate. There is no way to update the endpoints. They are unmanaged and you have no controls over them.

You still will need to onboard them in the new deployment regardless. Otherwise you will have no visibility of their endpoint certificates.

Is there a reason you’re sending them to a new deployment?

Why not do a split upgrade and maintain everything? Take a set of PAN/MNT/PSN update it and migrate the deployment?
https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934


0 Helpful
Customers Also Viewed These Support Documents