The webinar recording for Cisco ISE Deployment Best Practices is now live on Cisco Community for you to watch at your convenience.
Here are a few highlights from the session:
Ensure high availability and redundancy: Implement redundancy measures such as load balancers and appliance redundancy ensure high availability and minimize service disruptors.
Deployment Scalability: Scale by considering concurrent sessions and transactions per second, deploying PSNs near workloads and Identity Providers and using load balancers.
Accounting and Monitoring: Set start and stop accounting and interim updates to minimums.
Commonly asked questions about ISE deployment
-
Question: On a daily basis, how can we monitor the authentication limits exceeded for a PSN? Answer: Keep an eye on the System Summary Dashlet. Ensure AuthC latency is not too high, and you will receive alarms if AuthC are getting dropped.
-
Question: Is there any recommendation for a mix of authentication methods such as TEAP, EAP-TLS, and PEAP for environments including Windows, macOS, and iPhones with certificate-based authentication? Answer: You can build your policy sets to match on the EAP methods and OS. With ISE 3.3, make use of MFC (multifactor classification) to match on the OS.
-
Question: Can Cisco IOS XE load balancing between RADIUS servers be used for wireless systems? Answer: Yes, it is possible. Refer to the Cisco configuration guide for more information.
-
Question: Is there any documentation to follow for integrating data from ISE for other monitoring systems or ITSM platforms? Answer: Check out the video on ISE data extraction methods for integration purposes.
-
Question: How can integration with AD for user visibility be achieved, and can it be shared via PXGrid? Answer: ISE integration with AD is straightforward, and AD integration does not use PXGrid. Active Directory can be used as an external ID source.
-
Question: Is the recommended version of ISE the most stable? Answer: Recommended versions are usually well tested with no known major defects. Always refer to the Release Notes.
-
Question: Can we directly upgrade from ISE 3.0 patch 3 to 3.3 patch 4? Answer: Yes, you can. Ensure you apply the latest patch before upgrading.
-
Question: Are there guides available on ISE Threat Centric NAC services? Answer: You can check the video from the ISE TME team for more information.
-
Question: Is a split of primary and secondary nodes within the same LAN problematic with 10G uplinks between connecting cores? Answer: It is okay for primary and secondary nodes to be on the same or different LANs. The only concern is latency, but with a 10G link, that should be fine.
-
Question: Does ISE 3.3 support Native MFA with DUO using a direct integration? Answer: Native MFA with DUO works with DUO Push, but not hardware tokens like Yubikeys. Check the release notes for newer versions or contact your account team for updates.
-
Question: What licenses are required for ISE VM offering? Answer: ISE VMs incur a cost per VM, requiring an ISE VM license in addition to other functional licenses like Device Admin and Essentials.
-
Question: What is the correct way to back up if snapshots shouldn't be used? Answer: Use the Backup & Restore option within the Admin GUI. You can trigger config backups from GUI or CLI to save configuration settings and operational data.
-
Question: Is it recommended to use Automatic PAN failover? Answer: It depends on business needs. While recommended, many customers do not enable this feature.
-
Question: Will EAP-TLS machine auth and authorization with Entra ID be supported in newer versions? Answer: Machine authorization with Entra ID is being worked on and will be available in future versions, though no specific version or patch has been concluded yet.
-
Question: How long can the PSN keep working while PAN is down? Answer: The PSN retains the configuration from the PAN and should run without issue. New configs can't be pushed until admin node(s) are restored.
-
Question: What can operate as a health check node for auto failover? Answer: Any non-administration node such as MNT or PSN can act as the health check node for auto-failover.
-
Question: What is the recommended version for integration between ISE and ServiceNow? Answer: At least ISE 3.2 or higher is recommended, with ISE 3.3 patch 4 being currently recommended.
-
Question: Can I upgrade the ISE appliance internally using the internal upgrade option? Answer: You need to download the ISE upgrade bundle for the new version. Ensure to run the upgrade readiness tool and check resource requirements before proceeding.
-
Question: Does ISE 3.3 Patch 4 support Nutanix AHV Move? Answer: Check the release notes for support details. Contact TAC for a complete answer regarding migration processes.
-
Question: How to resolve the Kibana service not running issue? Answer: Open a TAC case for support. As basic troubleshooting, try stopping and starting the application during off-hours.
-
Question: Where to check the LDAP/AD request and response report? Answer: Check under Reporting or use the AD Diagnostics Tool feature under the AD section.
-
Question: Is there any additional license required for System360 and its features? Answer: No additional license is required for System360.
-
Question: How can you refresh device data if devices are showing up as "Unknown" in ISE? Answer: Update the profiling feed and create custom profiles if devices aren't contained within the feed.
-
Question: How many days can you be out of license compliance before losing admin access to ISE? Answer: Out of compliance for 30 days in a 60-day period will result in loss of administrative control until required licenses are purchased and activated.
Ready to learn more?
