Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4561
Views
5
Helpful
11
Replies

Change clock in ISE without impacting existing device admin via TACACS

a.maldonado
Level 1
Level 1

‎09-15-2021 02:01 AM

My ISE cube is made up of two nodes. I just enabled device admin to manage a few switches/routers via TACACS and it is working as expected. However, I noticed the system clock in ISE is different to the one of the routers/switches and to that of the AD controller.

 

The AD controller is set up with a time zone of UTC and the clock is correct. The switches/routers is using BST and their clock is also correct. ISE has it as UTC but it is one hour behind. I thought it would be a matter of just adjusting the clock in ISE using the command clock set Sep 15 15:00:00 2021 but soon after I executed this command, I lost management access to the routers/switches via TACACS. Luckily, I did not save the configuration and rebooted ISE. When it came back up the clock went to be one hour behind again and I regained access to the NADs via TACACs.

 

How can I setup the clock in ISE to match that of AD and the NADs without losing management via TACACS to the existing NADs. I would also like to change the time zone in ISE from UTC to BST.

 

I need to solve this issue before I go ahead and configure the rest of our network devices estate to use TACACS.

 

Your help will be much appreciated.

0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎09-15-2021 02:08 AM

First i would adviceto create a Local Account, and your AAA config should fall back to Local Admin, in case of ISE Fails - this is suggested approach always.

 

Seconds, changing NTP should not cause any issue as i am ware,. i would suggest to use NTP Server

 

If you like to change, change as below for BST)

 

#clock timezone GB

#ntp server x.x.x.x

 

# show ntp

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

a.maldonado
Level 1
Level 1
In response to balaji.bandi

‎09-16-2021 12:15 PM

I will try your suggestion Balaji tomorrow and let you know.

Will I need to use the clock command to setup the clock?

 

 

0 Helpful

a.maldonado
Level 1
Level 1
In response to balaji.bandi

‎09-18-2021 05:04 AM

Balaji,

 

I was trying the commands you sent me but soon after changing the timezone I got prompted with the below messages.


% On ise distributed deployments, it is recommended all nodes be
% configured with the same time zone.
% Changing the time zone may result in undesired side effects
% Recommended to reimage the node after changing the time zone

 

Does anybody know if I need to remimage?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to a.maldonado

‎09-19-2021 03:44 AM

As I mentioned on my 9/15 reply, reimage is the strongly recommended approach. The problems that may arise due to changing the timezone manually will cause many hours of avoidable troubleshooting.

a.maldonado
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2021 08:22 AM

Thank you Marvin,

 

So by reimaging the box will I have to snch it again with AD, add all the NDAs and configure the policies for network admin, etc.?

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to a.maldonado

‎09-19-2021 09:32 PM

In a 2-node deployment you can re-image the nodes one at a time and then rejoin them.

Start with the Secondary PAN, reimage and join the deployment. Join the node to AD and once everything is synced and healthy, promote it to Primary. Then repeat for the other node.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-15-2021 02:13 AM

Changing the timezone on an ISE server or deployment is generally not advised. It has been problematic and known to cause instability for the entire deployment. The suggested method is to rebuild new nodes with the correct desired timezone from scratch.

If your timezone is correct but reflecting the incorrect time then the suggested method is to use a valid NTP server.

0 Helpful

a.maldonado
Level 1
Level 1
In response to Marvin Rhoads

‎09-16-2021 12:10 PM

Hi Marvin,

 

The ISE cube was setup by a contractor a few months ago. The time zone is UTC and an hour and some minutes behind our AD and NADs.

I just started using it for device admin only and have a few NADs being managed via TACACS, so I guess it is going to cause problems I better d it now than later.

 

Thank you for your comments.

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎09-15-2021 03:26 AM

Hi,

Changing the timezone should not impact your TACACS access unless it went
out of sync with AD. Are you using LDAP or LDAPS with AD? For LDAPS,
changing clock might be a problem for certificate validation. That is the
only thing I can think of. Otherwise, it should be fine.

***** please remember to rate useful posts
0 Helpful

a.maldonado
Level 1
Level 1
In response to Mohammed al Baqari

‎09-16-2021 12:05 PM

Hi Mohammed,

 

I am not sure if we are using LDAP or LDAPs I will find out tomorrow and get back to you.

 

Thank you for your reply.

0 Helpful

bbouchaiba
Level 1
Level 1
In response to a.maldonado

‎09-16-2021 12:20 PM

Hi,

 

 

Changing the clock will break AD as an external identity source if ISE is configured that way and will go out of sync. It happened to me.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card