Hi dselfridge, I think that's may possible and not possible as it already using different tld (top level domain). But if you using different sub domain i think it is possible for ex. Employee.customer.com for employee and guest.custumer.com for guest access. I've read some case about it, here's the easy one to understand : https://community.cisco.com/t5/policy-and-access/ise-identity-certificate/td-p/2450487 And here's some explaination document i've read : https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897 If you have vm environment it will be better to test it there :), before do the integration and will be better if you could ask TAC about it since i dont have any experience with that case. That's a good question from you, I kind curious too about it :). Thank you Dino
... View more
Hi dselfrige, as I've already done the integration, here is what I have prepare for this integration just for reference : 1. The ISE OS need to be the same version, for ex. 2 nodes using 2.3 and other 2 nodes using 2.0, those node need to be in the same version OS and also patch version. this is also including your CA Root certificate need in the same domain, because when you register the node to the cluster you intended to join, it will check if the CA Root certificate. 2. If you have firewall on your network, make sure you do the open port, you could find the required port here : https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_0110.html 3. You need to select the master node for the admin node and copy the config to that master node (admin node). This is the process where you need to copy the config to the node where it is going to be the master, because you need to de-register the other cluster and join it to the cluster where it need to be in 1 cluster and any different config will be replace by the master admin in that cluster. 4. Do backup for Configuration, Operational Data, Endpoint Data, Certificate, Policy, License (if possible). 5. Prepare the license, you could re-host the license to cisco and combine it into 1 license management, just make sure you request the right license :) as this is crucial when the cluster in production 6. Do assessment with your ISE Box scalability, you could find the information here : https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148 7. Do open proactive case to Cisco TAC (if possible), this is just precaution to prepare your integration in the smooth way and discuss your plan with TAC and ask their opinion on your integration plan. for your question : "So 2 different hostnames. is this possible?" did you mean the ISE hostname ?, if it yes the it could work fine, but if you change the hostname of the ISE, you need to re-install the box from beginning, as there are some case the service will not start if the hostname change. If you talking about the CA Root Certificate, it should be under the same CA Root Certificate. Here's some note from TAC when I open proactive case, that you should be aware : 1- The only things you need to take into account are the followings: Same version and patch, if using 3rd party certs make sure that both clusters have the same CA chain, nodes should be registered for the licenses, make sure nodes are reachable via ip address and hostname. 2- If you are able to do a re-install that might be recommended, so in that way you don’t take any previous issue that might be affecting the node but you have a fresh installed. 3 - For deployment operations, just make sure that nodes are reachable each other and able to resolve DNS properly. 4 - When the SAN is promoted to become a PAN node, it cannot automatic do restore it is replication session to all of the ISE nodes, so manual replication sync is required. if you have another question please let me know :) Thank You Dino
... View more
I have question related to Cisco ISE deployment, our client have 2 site that currently deploy cisco ISE.
the problem is that 2 deployment site that already operational wanted to join into 1 cluster so it can be manage into 1 cluster only, since both site manage by their own IT.
below are the configuration each site :
Site A has 4 nodes of ISE Appliance ( 1 ADM, 1 MNT, 2 PSN) using ISE 2.1
Site B has 4 nodes of ISE Appliance ( 1 ADM, 1 MNT, 2 PSN) using ISE 2.3
both site A & B have different configuration and also the endpoint that registered to both site.
could that be possible to make into 1 cluster and how to do it ?
should 1 site need to de-register the cluster and joined into the other site in order to achieve it ?
if anyone have done it, could you share the steps on doing this ?
Updates : I've found my answer, Please refer to my answer :)
... View more
thank you for the answer, but is there any attribute that windows embedded version have ?
I've been looking for the attribute but still no luck finding the match one, do you have any suggest about the custom attribute ?
... View more
my client recently ask me, if it possible to do profiling for windows embedded version so that they can automatically register it in the Cisco ISE.
My client using Cisco ISE 2.1 & 2.3 for different site. if it possible, what could be the attribute for that.
... View more