Solved: [Solved] making cisco ise from 2 different deployment site into 1 cluster

alldino.s · ‎02-05-2018

Hi all,

I have question related to Cisco ISE deployment, our client have 2 site that currently deploy cisco ISE.

the problem is that 2 deployment site that already operational wanted to join into 1 cluster so it can be manage into 1 cluster only, since both site manage by their own IT.

below are the configuration each site :

Site A has 4 nodes of ISE Appliance ( 1 ADM, 1 MNT, 2 PSN) using ISE 2.1

Site B has 4 nodes of ISE Appliance ( 1 ADM, 1 MNT, 2 PSN) using ISE 2.3

both site A & B have different configuration and also the endpoint that registered to both site.

could that be possible to make into 1 cluster and how to do it ?

should 1 site need to de-register the cluster and joined into the other site in order to achieve it ?

if anyone have done it, could you share the steps on doing this ?

Updates : I've found my answer, Please refer to my answer :)

Thank You

Dino

alldino.s · ‎08-01-2018

Hi dselfrige,

as I've already done the integration, here is what I have prepare for this integration just for reference :

1. The ISE OS need to be the same version, for ex. 2 nodes using 2.3 and other 2 nodes using 2.0, those node need to be in the same version OS and also patch version. this is also including your CA Root certificate need in the same domain, because when you register the node to the cluster you intended to join, it will check if the CA Root certificate.

2. If you have firewall on your network, make sure you do the open port, you could find the required port here : https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_0110.html

3. You need to select the master node for the admin node and copy the config to that master node (admin node).
This is the process where you need to copy the config to the node where it is going to be the master, because you need to de-register the other cluster and join it to the cluster where it need to be in 1 cluster and any different config will be replace by the master admin in that cluster.

4. Do backup for Configuration, Operational Data, Endpoint Data, Certificate, Policy, License (if possible).

5. Prepare the license, you could re-host the license to cisco and combine it into 1 license management, just make sure you request the right license :) as this is crucial when the cluster in production

6. Do assessment with your ISE Box scalability, you could find the information here : https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

7. Do open proactive case to Cisco TAC (if possible), this is just precaution to prepare your integration in the smooth way and discuss your plan with TAC and ask their opinion on your integration plan.

for your question :
"So 2 different hostnames. is this possible?"
did you mean the ISE hostname ?, if it yes the it could work fine, but if you change the hostname of the ISE, you need to re-install the box from beginning, as there are some case the service will not start if the hostname change.

If you talking about the CA Root Certificate, it should be under the same CA Root Certificate.

Here's some note from TAC when I open proactive case, that you should be aware :
1- The only things you need to take into account are the followings: Same version and patch, if using 3rd party certs make sure that both clusters have the same CA chain, nodes should be registered for the licenses, make sure nodes are reachable via ip address and hostname.
2- If you are able to do a re-install that might be recommended, so in that way you don’t take any previous issue that might be affecting the node but you have a fresh installed.
3 - For deployment operations, just make sure that nodes are reachable each other and able to resolve DNS properly.
4 - When the SAN is promoted to become a PAN node, it cannot automatic do restore it is replication session to all of the ISE nodes, so manual replication sync is required.

if you have another question please let me know :)

Thank You
Dino

View solution in original post

dselfridge · ‎02-22-2018

I have a similar problem, although my 2 clusters are in the same sites.

One is providing guest portal functionality (2 nodes cluster) and the other is doing the EAP for the 'internal' clients (again 2 nodes)

I want to merge the 2 into one, 4 node cluster to simplify licensing, configuration and maintenance.

My thinking is to configure the EAP functionality onto the Guest cluster and try it out with a test SSID. I need to ensure AD integration works and certificates are correct.

Here's the kicker, the hostnames and the certificates. The guest users need a public CA signed Cert (using ise.customer.com) and the internal users need a corporate CA signed cert (using ise.customer.net).

So 2 different hostnames. is this possible?

alldino.s · ‎08-01-2018

Hi dselfrige,

as I've already done the integration, here is what I have prepare for this integration just for reference :

1. The ISE OS need to be the same version, for ex. 2 nodes using 2.3 and other 2 nodes using 2.0, those node need to be in the same version OS and also patch version. this is also including your CA Root certificate need in the same domain, because when you register the node to the cluster you intended to join, it will check if the CA Root certificate.

2. If you have firewall on your network, make sure you do the open port, you could find the required port here : https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_0110.html

3. You need to select the master node for the admin node and copy the config to that master node (admin node).
This is the process where you need to copy the config to the node where it is going to be the master, because you need to de-register the other cluster and join it to the cluster where it need to be in 1 cluster and any different config will be replace by the master admin in that cluster.

4. Do backup for Configuration, Operational Data, Endpoint Data, Certificate, Policy, License (if possible).

5. Prepare the license, you could re-host the license to cisco and combine it into 1 license management, just make sure you request the right license :) as this is crucial when the cluster in production

6. Do assessment with your ISE Box scalability, you could find the information here : https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

7. Do open proactive case to Cisco TAC (if possible), this is just precaution to prepare your integration in the smooth way and discuss your plan with TAC and ask their opinion on your integration plan.

for your question :
"So 2 different hostnames. is this possible?"
did you mean the ISE hostname ?, if it yes the it could work fine, but if you change the hostname of the ISE, you need to re-install the box from beginning, as there are some case the service will not start if the hostname change.

If you talking about the CA Root Certificate, it should be under the same CA Root Certificate.

Here's some note from TAC when I open proactive case, that you should be aware :
1- The only things you need to take into account are the followings: Same version and patch, if using 3rd party certs make sure that both clusters have the same CA chain, nodes should be registered for the licenses, make sure nodes are reachable via ip address and hostname.
2- If you are able to do a re-install that might be recommended, so in that way you don’t take any previous issue that might be affecting the node but you have a fresh installed.
3 - For deployment operations, just make sure that nodes are reachable each other and able to resolve DNS properly.
4 - When the SAN is promoted to become a PAN node, it cannot automatic do restore it is replication session to all of the ISE nodes, so manual replication sync is required.

if you have another question please let me know :)

Thank You
Dino

dselfridge · ‎08-02-2018

Thank you Dino,

Very Helpful.

My question around hostnames could have been a bit clearer.

What I meant was that the 2 authentication methods (Corporate EAP and Guest Web-Auth) are on different domains and each has certificates to match those. e.g. one is customer.com - for the public cert used for guest access and the other is customer.net - for the internal CA provided cert to authenticate corporate devices.

Can I retain those 2 domain suffixes? On the same, new, 4 node cluster?

alldino.s · ‎08-02-2018

Hi dselfridge,
I think that's may possible and not possible as it already using different tld (top level domain). But if you using different sub domain i think it is possible for ex. Employee.customer.com for employee and guest.custumer.com for guest access.

I've read some case about it, here's the easy one to understand : https://community.cisco.com/t5/policy-and-access/ise-identity-certificate/td-p/2450487

And here's some explaination document i've read : https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897

If you have vm environment it will be better to test it there :), before do the integration and will be better if you could ask TAC about it since i dont have any experience with that case.

That's a good question from you, I kind curious too about it :).

Thank you
Dino