Migrating Cisco ISE from On-Premises to Microsoft Azure Cloud. 

 

Introduction

This document provides a detailed guide for migrating Cisco Identity Services Engine (ISE) from an on-premises infrastructure to an Azure cloud deployment. It covers prerequisites, design considerations for high availability (HA), migration steps, and solutions for known challenges, such as UDP fragmentation.  

 

Prerequisites 

Before starting the migration, ensure the following: 

• Azure Knowledge: Familiarity with Azure concepts (Virtual Machines, Virtual Networks, Availability Zones, Load Balancers, ExpressRoute, VPN Gateways). 

• ISE Version: Use Cisco ISE 3.1 or later (3.3 or 3.4 recommended as of August 2025) for native Azure support. 

• Licensing: Verify sufficient VM licenses in your Cisco Smart Account for Azure nodes. Existing licenses from on-premises deployments can be transferred to the cloud. When deploying via the Azure Marketplace, use the BYOL model to activate your instance with your current license. 

• Network Connectivity: Plan for Azure ExpressRoute or Site-to-Site VPN for secure connectivity between on-premises and Azure. Ensure internode latency is below 300 ms for hybrid deployments. 

• DNS Configuration: Update forward and reverse DNS entries for Azure-assigned IP addresses or configure static IPs post-deployment. 

• Backup: Perform a full configuration and operational data backup of the on-premises ISE deployment (excluding ADE-OS). 

• Azure Account: Access to the Azure portal with permissions to create Virtual Machines, Network Security Groups, and Load Balancers. 

 

Design Considerations for High Availability (HA) 

To ensure a resilient Azure deployment, follow these best practices for ISE node distribution and HA: 

Deployment Size 

• Minimum Recommendation: Medium-sized Cisco ISE deployment across two different Azure sites with high availability (HA), you would typically deploy at least four nodes distributed between the two sites. Each site should have a combination of Policy Administration Node (PAN), Monitoring and Troubleshooting Node (MnT), and Policy Service Nodes (PSNs) to ensure redundancy and load distribution 

• Example Setup for 4 Nodes: 

• Availability Zone 1 (AZ1): 

• VM1: Primary PAN, Primary Monitoring (MnT), Policy Service (PSN) 

• VM2: Secondary PSN 

• Availability Zone 2 (AZ2): 

• VM3: Secondary PAN, Secondary MnT, PSN 

• VM4: Secondary PSN 

• Scalability: Add additional PSN nodes in each Availability Zone for load balancing based on endpoint count and authentication traffic. Refer to the Cisco ISE Performance and Scalability Guide for VM sizing. 

 

Load Balancing 

• Azure Load Balancer: Place PSN nodes behind an Azure Load Balancer to distribute RADIUS and TACACS+ traffic. Configure health probes for ports TCP 49 (TACACS+) 

• Configuration: 

• Create a Standard Load Balancer in Azure. 

• Assign PSN nodes to the backend pool. 

• Configure frontend IP and load balancing rules for UDP 1812/1813 and TCP 49 (TACACS+). 

• Enable Floating IP to support session persistence. 

• Avoid Source NAT (SNAT) for NAD-Initiated Traffic: Do not use SNAT for RADIUS AAA traffic initiated by Network Access Devices (NADs) in Azure, as it disrupts CoA by obscuring the NAD’s source IP, which is critical for CoA operations. 

• Enable Session Persistence: Configure the Azure Load Balancer with “Client IP and protocol” session persistence to ensure all RADIUS authentication, authorization, accounting, and CoA packets for a session are routed to the same Policy Service Node (PSN). 

• However, there is a workaround (AWS-inspired) for handling CoA traffic in Azure without disrupting SNAT for NAD-initiated RADIUS AAA sessions, configure a dedicated NAT Gateway specifically for outbound CoA (UDP port 1700) by attaching it to a separate subnet within your Virtual Network. Add a second network interface (NIC) to your Cisco ISE virtual machine, associating it with this dedicated subnet to segregate CoA routing. In the ISE CLI, create a routing rule to direct all outbound traffic destined for UDP port 1700 through the second NIC, ensuring it flows via the NAT Gateway. This configuration allows ISE-generated CoA packets to be SNAT'ed consistently to the NAT Gateway's public IP, which you can then whitelist on your Network Access Devices (NADs) to maintain reliable CoA operations while avoiding source IP obfuscation issues. 

• Use HTTPS Health Probes: Set up health probes on port 443 with the path /admin/login.jsp to verify PSN availability, ensuring CoA requests are only sent to healthy PSNs. 

• Secure Traffic with VPN: Use a Site-to-Site VPN to secure CoA traffic between NADs and the Azure Load Balancer, avoiding exposure over the public internet. 

• Test CoA Functionality: Regularly test CoA operations using tools like radtest to verify reauthentication and session termination work correctly, monitoring results in ISE’s Log Analytics. 

 

PAN Failover 

• Recommendation: Avoid enabling automatic PAN failover unless required for continuous automation or integrations. Manual failover is preferred to prevent unexpected service restarts. 

• Configuration: Promote the secondary PAN manually via the ISE GUI if the primary PAN fails (Administration > System > Deployment). 

 

Network Security Groups (NSGs) 

• Configure NSGs to allow necessary ISE ports (e.g., TCP 443, UDP 1812/1813, TCP 49). Refer to the Cisco ISE Ports Reference for a complete list. 

• Allow internode communication for database synchronization (TCP 5432, 1521, etc.) with latency below 300 ms. 

 

Azure Regions 

• Deploy in regions with fixes for out-of-order UDP fragments (This list can be found in Deploy Cisco Identity Services Engine Natively on Cloud Platforms to mitigate authentication failures. 

• If deploying in other regions, raise a Microsoft Azure support ticket to enable out-of-order fragment processing or use a third-party VPN gateway (e.g., Cisco Catalyst 8000V). 

 

Migration Steps 

Follow these steps to migrate ISE from on-premises to Azure: 

 

Pre-Migration Steps 

Backup On-Premises ISE: 

• Navigate to Administration > System > Backup & Restore in the ISE GUI. 

• Perform a configuration backup and operational data backup (excluding ADE-OS). 

• Download backups to a secure repository (e.g., Azure Blob Storage or on-premises server). 

• Backup PKI store (CA certificates and keys ) from the CLI 

• Use application configure ise CLI command. 

• Select option 7 to export CA certificates and keys. 

• Provided repository name and encryption key. 

• Confirm successful export of the CA key pairs. 

• For restoring certificates, use a similar process with option 8. 

• Document Current Configuration: 

• Record node personas, IP addresses, hostnames, and policies. 

• Note integration details (e.g., Active Directory, pxGrid, DNS, NTP). 

• Verify Licenses: 

• Confirm sufficient VM licenses in the Cisco Smart Account for Azure nodes. 

• Register the new Azure deployment with the Smart Licensing portal post-migration. 

 

Deploy ISE in Azure 

• Create Azure Virtual Machines: 

• Log in to the Azure portal and navigate to Marketplace. 

• Search for Cisco Identity Services Engine (ISE) and select the VM image. 

• Configure the VM: 

• Subscription and Resource Group: Select appropriate values. 

• VM Name: Assign a unique name (e.g., ise-pan1-az1). 

• Size: Choose a supported instance type (e.g., Standard_F32s_v2) per the Cisco ISE Performance and Scalability Guide. 

• Authentication: Use SSH Public Key with username iseadmin. 

• Disk Type: Select Premium SSD for production workloads. 

• Network: Assign to the appropriate Virtual Network and Subnet. Configure static IP post-deployment. 

• Repeat for each node (minimum 3–4 nodes for HA). 

• Configure User Data: 

• Provide User Data during VM creation to automate ISE setup (e.g., hostname, DNS, NTP, password). Example: 

• hostname=ise-pan1-az1 

• primarynameserver=192.168.1.10 

• dnsdomain=example.com 

• ntpserver=192.168.1.11 

• timezone=UTC 

• password=Ch@ngePassw0rd 

• ersapi=yes 

• openapi=yes 

• pxGrid=no 

• pxgrid_cloud=no 

• Ensure the password meets complexity requirements. 

• Note: that the default username for the initial admin user is `iseadmin` and cannot be changed 

• Start VMs: 

• Wait ~30 minutes for the ISE application to build. Access the CLI via SSH using iseadmin as the username and the specified password. 

• If the CLI shell is not ISE-specific, check the Azure Serial Console for errors or verify User Data syntax. 

 

Restore Configuration

• Register Nodes: 

• Access the primary PAN via the ISE GUI {https://{ise_fqdn_or_ip_address}. 

• Navigate to Administration > System > Deployment and register secondary nodes (MnT, PSN) using their IP addresses or hostnames. 

• Restore Backup: 

Once the deployment nodes have completed their sync: 

• Upload the on-premises configuration and operational backups (Optional) to the primary PAN via Administration > System > Backup & Restore. 

• Restore the configuration backup first, then operational data (excluding ADE-OS) if required. 

• Note: IP addresses and hostnames in the backup are tied to the original PAN. Update DNS and network configurations in Azure to match or reconfigure post-restore. 

• Reintegrate Active Directory: 

• Rejoin Azure ISE nodes to Active Directory (AD) if using on-premises AD: 

• Navigate to Administration > Identity Management > External Identity Sources > Active Directory. 

• Create a new AD join point or update the existing one with new IP addresses. 

• For Azure AD (Entra ID), configure SAML or REST ID with Resource Owner Password Credentials (ROPC). See Cisco’s guide for ISE 3.2 EAP-TLS with Azure AD. 

• Update NAD Configurations: 

• Update Network Access Devices (NADs) (e.g., switches, WLCs) to point to the new PSN IP addresses or Load Balancer Virtual IP (VIP) address in Azure for RADIUS/TACACS+. 

• Test connectivity incrementally to minimize downtime. 

 

Post-Migration Validation 

• Verify Authentication/Authorization: 

• Test 802.1X, MAB, and guest access policies via Operations > RADIUS > Live Logs. 

• Ensure profiling works (e.g., check Context Visibility > Endpoints for correct device classification). 

• Check HA: 

• Simulate PAN failover by stopping the primary PAN and promoting the secondary PAN. 

• Verify load balancer health probes and PSN failover. 

• Monitor Performance: 

• Use Operations > Reports to monitor authentication latency and resource usage. 

 

Addressing Known Challenges 

UDP Fragmentation  

• Issue: Azure’s virtual network stack drops out-of-order UDP fragments, causing RADIUS authentication failures (e.g., EAP-TLS). 

• Solutions: 

• Deploy in regions with fixes.  

• Use a third-party VPN gateway (e.g., Cisco Catalyst 8000V) to encapsulate RADIUS traffic in IPsec, hiding fragmentation. Configure IPsec per Cisco’s guide. 

• Enable RADIUS over DTLS (Datagram Transport Layer Security) for secure transport. 

• Raise an Azure support ticket to enable out-of-order fragment processing in other regions. 

 

Profiling Limitations 

• Issue: DHCP SPAN and CDP/LLDP profiling are not supported in Azure. 

• Solution: 

• Rely on other probes (e.g., HTTP, RADIUS) for endpoint profiling. 

• Configure device sensors on switches to send CDP/LLDP data to ISE via RADIUS accounting. 

• Create custom profiling policies in Work Centers > Profiler > Profiling Policies to match Azure-specific attributes. 

 

Latency

• Issue: High latency (>300 ms) between on-premises and Azure nodes can impact database synchronization. 

• Solution: 

• Deploy identity stores (e.g., Azure AD) in the cloud to reduce latency. 

• Use a site-to-site VPN with optimized routing. 

 

Integration with Azure AD 

• SAML/ROPC: Configure ISE for Azure AD using SAML for admin access or REST ID with ROPC for user authentication. 

• Steps: 

• Navigate to Administration > Identity Management > External Identity Sources > Azure AD. 

• Configure the Azure AD realm with client and hub information. 

• Test the connection and set user session timeouts. 

• Note: Azure AD tracks user objects, not machine objects. Use Microsoft Intune for device management if needed. 

 

Best Practices 

• Site-to-site VPN – Establish site-to-site VPNs from each data center to Azure Cloud.  RADIUS and TACACS+ are long standing protocols, and securing their traffic is essential. Ensure all authentication traffic remains private and does not traverse the public internet. 

• Static IPs: Assign static IPs to ISE VMs post-deployment to avoid DHCP issues. 

• Backup Storage: Use Azure Blob Storage for storing ISE backups. ISE supports FTP and SFTP as well.  
• Automation: Leverage Terraform and/or Ansible for automated ISE deployment.
  • Terraform to provide cloud infrastructure. 
  • Ansible to configure and manage ISE services.  

• Monitoring: Enable Azure Monitor to track VM performance and ISE logs. 
• Patching: Apply the latest ISE patches for ISE 3.x to address bugs like Azure AD AuthZ issues (CSCwj04839).

 

References 

• Cisco ISE on Azure Cloud Services 

• Cisco ISE Performance and Scalability Guide 

• Cisco ISE Ports Reference 

• Install ISE on Azure Cloud Services:  

• Cloud Load Balancer with ISE