cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting ISE installations

1053
Views
5
Helpful
0
Comments

 

Introduction

This document describes the multiple ISE installation scenarios.

Prerequisites

  • ISE

Scenario 1:Cisco ISE and WLC Access-List Design/Scalability

Problem:

User have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. User is observing the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; He was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? He have illustrated the setup below for reference:
 
User group 1 -- Apply ACL 1 --On Vlan 1 
User group 2 -- Apply ACL 2 -- On Vlan 1
User group 3 -- Apply ACL 3 -- On Vlan 1
The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
 
Solution:
Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at the link mentioned below:
Cisco Doc
 
The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. Overall, there are three ways to overcome current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or Firewall and apply ACLs there
  3. Use SGT/SGA

Scenario 2: ISE 1.2 Time Zone

Problem:

User have a ISE 1.2 pair, v9 patch installed and sychronized. Recently time zone changed to summer time which is one hour later. In the CLI user can see that the reference is sent by NTP and the clock has changed but while monitoring he can still see that there is an hour difference from real time. He read in Cisco official documentation that time cannot be changed on ISE or else it will become unusable but the logs are not being timestamped correctly and also the time the RADIUS request are made by NAD vs the time they are recieved by ISE have one hour difference.
Is there a way to solve this? it seems to be prone to any kind of unexpected behaviour when we are least expecting it.

Solution:

It seems that it is a bug (Related to the timezone). The base OS (Cent/ADE OS) appears to be running fine and keeping track of DST (Day light savings) but the actual application (ISE) installed on Cent is not. I don't believe that NTP pushes/honors timezones. I think NTP just synchronizes the clock while timezones/DST is controlled locally. 
However, if we take Eastern Time Zone for example. I had to make sure that I select "EST5EDT" in ISE and not just EST. If I simply selected EST then DST was not observed and made things ugly. The same applied for Pacific timezone where I had to make sure that I select "PST8PDT" With all of that being said, I checked the CLI in ISE and I don't see any Chile related time zones that would indicate DST observations. You can check for those yourself by using the following command "show timezones"
I was able to find these but perhaps there are more and a specific one to CST/CLST. I tried searching for those but could not find anything:
You are correct about being able to change the timezone in CLI. If you do that TAC will not support the product anymore if any odd issues are to arise. With that being said, I have changed the timezone before and the system continued to work as expected without any issues. So I will leave it up to you on how you would proceed. The only other option is to re-image the nodes. 
 

Scenario 3: ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

Problem:

Just prepping an ISE 1.2 patch 8 setup in our organization. User is going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. User have got 2 points he will like to get some guidance on:
DC has a dedicated mgmt network and he plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
 
Solution:

For Question #1:

Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there You can configure Radius and Profiling to be enabled on other interfaces Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network.
Take a look at this link for more info:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html

For Question #2

If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:

–Option 12—HostName of the client
–Option 60—The Vendor Class Identifier

After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message. Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

Source Discussion