These are few tips that will help you with your first deployment of ISE. For advanced tips, please read Advanced ISE tips to make your deployment easier

Don’t get locked out of the system

During the ISE installation you are asked to enter a username and a password for the super user account. Once entered, the ISE installation script adds an account for the ISE GUI and the CLI. However, these two accounts are not the same account, the installation script is merely creating one of each with same credential during the installation. Once added, you will have to manage them independently. Another difference between the accounts is that the CLI account is specific to each node, whereas the GUI admin account is replicated to the secondary nodes (Non primary admin node) in a distributed deployment. One frequent issue new ISE administrators run into is with password expiry and the lock out policy. The default password expiry is set to 45 days and the lock out timeout is for 15 minutes for both the CLI and the GUI. Imagine you are trying to troubleshoot the access issue and you can’t login to the UI due to lock out policy. To avoid surprises, adjust these settings as needed. Here are the default settings as of ISE 2.6 on the CLI:

Matching GUI admin settings can be located at Administration > System > Admin Access:

• Authentication > Password Policy
• Authentication > Account Disable Policy
• Authentication > Lock/Suspend Settings

Few suggestions depending on your security policy:

• Create alternate super admin account for both CLI and GUI
• Use longer password expiry period than default
• Use shorter lock out period than default

Lastly, in case you get locked out and need to reset the password for the admin account.

• GUI: run 'application reset-passwd ise admin' from the exec mode CLI
• CLI: Use ISE install ISO disk or image to boot the system and select option 3 or 4 which reads 'System Utilities' or 'Recover administrator password' depending on the version of the boot image and follow the steps.

For more information please read ISE Password Recovery Mechanisms

Supported browser

The browser problem can manifest itself in many different ways, but typical issues may be:

• UI doesn't look right
• Can't save settings
• Not seeing expected result

Make sure to check out the compatibility documents and confirm the browser is supported for admin GUI

Enable full visibility

ISE is shipped with most of best practices settings turned on by default. These settings ensure that ISE deployments can scale up to the specification. Some of the settings that are turned on by default are for suppressing repeated failed and repeated successful RADIUS requests. It is important to leave these settings on for any sizable deployment, but these settings could hamper visibility into the issues when you are trying to troubleshoot the initial ISE setup. For initial install, follow these steps so you have visibility into all the authentication requests that reaches ISE regardless of their status:

1. Go to Administration > System > Settings
2. On the left-hand-side of the screen, click Protocols > RADIUS
3. Uncheck ‘Suppress repeated failed clients’
4. Uncheck ‘Suppress repeated successful authentications’
5. Check 'Disclose invalid usernames' (This setting reveals username for bad password events. Depending on the version of ISE and patch it may only be set temporarily)

Note: Once the initial pilot stage is complete and ISE policies have been validated, make sure to turn these settings back to default

Update ISE with latest profiler feed (AND posture update) to reduce unknown endpoint count

ISE releases or patches doesn’t come with latest profiler feed update. What this means is that newly introduced end points such as new iOS, Android devices or even Cisco AP may not get profiled properly upon installation. Now, ISE profiler feed is enabled by default to get updates around 1AM per configured timezone on the admin node so should help reduce unknown endpoints provided that ISE can reach Cisco services through the Internet. Make sure to allow ISE get access to the Internet so it can get latest feed updates. Aside from the feed update, ISE also relies on posture update for profiling when it comes to web browser user agent strings. Unlike feed service, posture update is not enabled by default. To configure the posture update behavior:

1. Go to Administration > System > Settings
2. On the left-hand-side of the screen, click Posture > Updates
3. Click Update Now to download user agent string database from Cisco. Note the version of the ‘Cisco supported OS version’ under Update Information pane below
4. You can also enable periodic update from here as well

Creating first policy set

Best policy is one that is easy to read. Don’t put all policy rules into single or default policy set, it will make the policy conditions complex and hard to read. Use following table as template and customize it for your environment.

Note: I am listing wireless access first as wireless endpoints tend to be chatty in terms of authentication compared to wired access. For more information on the policy construct please read ISE Authentication and Authorization Policy Reference

Understanding ISE Live Logs status

Operations > RADIUS > Live Logs

ISE Live Logs page is where you will be spending most of your time within the ISE GUI. This is where all authentication events are presented in real time. There are 3 distinct status; Auth Passed, Auth Failed, and Session. 

Understanding ISE Live Sessions status

Operations > RADIUS > Live Sessions

While ISE Live Logs page provide events in real time, Live Sessions page can be used to view sessions that ISE is maintaining at given point in time. As noted in the ISE Live Logs section above, sessions are successful authentication event that ISE received RADIUS accounting Start for. You may be wondering what happens if ISE doesn’t receive RADIUS accounting start from the network device for a give session? Even if ISE doesn’t receive RADIUS accounting start, ISE will maintain it, but for shorter duration. ‘Started’ status means ISE received accompanying RADIUS accounting start whereas ‘Authenticated’ status means ISE received RADIUS authentication request that was successfully authenticated, but there was no RADIUS accounting start. For authentications with missing RADIUS accounting start, ISE only maintains session for 1 hour. When ISE isn’t maintaining the session, you end up with endpoints on the network but is not visible to ISE as connected endpoint as such ISE cannot send CoA which may break many of the advanced ISE use cases. Another case of ‘Authenticated’ is where ISE is configured with passive ID and/or Easy Connect. In these cases, ISE learned that a AD domain user was authenticated via WMI or AD agent but there were no RADIUS accounting received related to the same endpoint IP address. There are additional session status and following table summarizes the different session status: