Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 81

    Page 81 Table 3: Cisco ISE Nodes and Available Menu Options Available Menu OptionsCisco ISE Node •ViewandconfiguresystemtimeandNTPserver settings. •Installservercertificate,managecertificate signingrequest. Theservercertificateoperationsmust beperformeddirectlyoneach individualnode.Theprivatekeysare notstoredinthelocaldatabaseandare notcopiedfromtherelevantnode;the privatekeysarestoredinthelocalfile system. Note AllNodes Allmenusandsub-menus.PrimaryPAN •Homeandoperationsmenus.... 
    Table 3: Cisco ISE Nodes and Available Menu Options
Available Menu OptionsCisco ISE Node
•ViewandconfiguresystemtimeandNTPserver
settings.
•Installservercertificate,managecertificate
signingrequest.
Theservercertificateoperationsmust
beperformeddirectlyoneach
individualnode.Theprivatekeysare
notstoredinthelocaldatabaseandare
notcopiedfromtherelevantnode;the
privatekeysarestoredinthelocalfile
system.
Note
AllNodes
Allmenusandsub-menus.PrimaryPAN
•Homeandoperationsmenus....

    Page 82

    Page 82 ISEnode.Youcan,however,editthepersonasandservicesoftheprimaryandsecondaryCiscoISEnodes. YoumustfirstconfigureaprimaryISEnodeandthenregistersecondaryISEnodestotheprimaryISEnode. Ifyouareloggingintothenodeforthefirsttime,youmustchangethedefaultadministratorpasswordand installavalidlicense. ItisrecommendednottochangethehostnameandthedomainnameonCiscoISEthathavebeenconfigured orinproduction.Ifitisrequired,thenreimagetheappliance,makechanges,andconfigurethedetailsduring theinitialdeployment. Before You Begin... 
    ISEnode.Youcan,however,editthepersonasandservicesoftheprimaryandsecondaryCiscoISEnodes.
YoumustfirstconfigureaprimaryISEnodeandthenregistersecondaryISEnodestotheprimaryISEnode.
Ifyouareloggingintothenodeforthefirsttime,youmustchangethedefaultadministratorpasswordand
installavalidlicense.
ItisrecommendednottochangethehostnameandthedomainnameonCiscoISEthathavebeenconfigured
orinproduction.Ifitisrequired,thenreimagetheappliance,makechanges,andconfigurethedetailsduring
theinitialdeployment.
Before You Begin...

    Page 83

    Page 83 configurationchangesthatyoumakefromtheDeploymentpageofthePrimaryPAN.However,expecta delayof5minutesforyourchangestotakeeffectandappearontheDeploymentpage. Before You Begin Ensurethattheprimarynode’strustedcertificatestorehastheappropriatecertificateauthority(CA)certificates tovalidatetheHTTPScertificateofthesecondarynodethatyouaregoingtoregister.Whenyouimportthe secondarynode'scertificateintothetrustedcertificatestore,checktheTrustforauthenticationwithinISE... 
    configurationchangesthatyoumakefromtheDeploymentpageofthePrimaryPAN.However,expecta
delayof5minutesforyourchangestotakeeffectandappearontheDeploymentpage.
Before You Begin
Ensurethattheprimarynode’strustedcertificatestorehastheappropriatecertificateauthority(CA)certificates
tovalidatetheHTTPScertificateofthesecondarynodethatyouaregoingtoregister.Whenyouimportthe
secondarynode'scertificateintothetrustedcertificatestore,checktheTrustforauthenticationwithinISE...

    Page 84

    Page 84 registrationanddatabasesynchronization,enterthecredentialsofthePrimaryPANtologintotheuser interfaceofthesecondarynode. InadditiontotheexistingPrimarynodeinthedeployment,whenyousuccessfullyregisteranewnode, noalarmcorrespondingtothenewlyregisterednodeisdisplayed.TheConfigurationChangedalarms reflectinformationcorrespondingtothenewlyregisterednodes.Youcanusethisinformationtoascertain thesuccessfulregistrationofthenewnode. Note What to Do Next... 
    registrationanddatabasesynchronization,enterthecredentialsofthePrimaryPANtologintotheuser
interfaceofthesecondarynode.
InadditiontotheexistingPrimarynodeinthedeployment,whenyousuccessfullyregisteranewnode,
noalarmcorrespondingtothenewlyregisterednodeisdisplayed.TheConfigurationChangedalarms
reflectinformationcorrespondingtothenewlyregisterednodes.Youcanusethisinformationtoascertain
thesuccessfulregistrationofthenewnode.
Note
What to Do Next...

    Page 85

    Page 85 Available When the Primary PAN Goes Down (Yes/No) Feature YesExistingendpointwithnoprofilechange YesExistingendpointwithprofilechange YesNewendpointlearnedthroughprofiling YesExistingguest–LWA YesExistingguest–CWA No(Guestmustloginwitholdpassword)Guestchangepassword YesGuest–AUP NoGuest–MaxFailedLoginEnforcement NoNewGuest(SponsoredorSelf-registered) YesPosture NoNewDeviceRegistration YesExistingRegisteredDevices NopxGrid Manually Promote Secondary PAN To Primary... 
    Available When the Primary PAN Goes Down
(Yes/No)
Feature
YesExistingendpointwithnoprofilechange
YesExistingendpointwithprofilechange
YesNewendpointlearnedthroughprofiling
YesExistingguest–LWA
YesExistingguest–CWA
No(Guestmustloginwitholdpassword)Guestchangepassword
YesGuest–AUP
NoGuest–MaxFailedLoginEnforcement
NoNewGuest(SponsoredorSelf-registered)
YesPosture
NoNewDeviceRegistration
YesExistingRegisteredDevices
NopxGrid
Manually Promote Secondary PAN To Primary...

    Page 86

    Page 86 Step 4ClickSave. What to Do Next IfthenodethatwasoriginallythePrimaryPANcomesbackup,itwillbedemotedautomaticallyandbecome theSecondaryPAN.Youmustperformamanualsynchronizationonthisnode(thatwasoriginallythePrimary PAN)tobringitbackintothedeployment. IntheEditNodepageofasecondarynode,youcannotmodifythepersonasorservicesbecausetheoptions aredisabled.YouhavetologintotheAdminportaltomakechanges. Policy Service Node ACiscoISEnodewiththePolicyServicepersonaprovidesnetworkaccess,posture,guestaccess,client... 
    Step 4ClickSave.
What to Do Next
IfthenodethatwasoriginallythePrimaryPANcomesbackup,itwillbedemotedautomaticallyandbecome
theSecondaryPAN.Youmustperformamanualsynchronizationonthisnode(thatwasoriginallythePrimary
PAN)tobringitbackintothedeployment.
IntheEditNodepageofasecondarynode,youcannotmodifythepersonasorservicesbecausetheoptions
aredisabled.YouhavetologintotheAdminportaltomakechanges.
Policy Service Node
ACiscoISEnodewiththePolicyServicepersonaprovidesnetworkaccess,posture,guestaccess,client...

    Page 87

    Page 87 Session Failover in Policy Service Nodes WhenaPolicyServicenodethathasactiveURL-redirectedsessionsfails,theendpointsarestuckinan intermediatestate.EveniftheredirectendpointdetectsthatthePolicyServicenodethatithasbeen communicatingwithhasfailed,itcannotre-initiateauthorization. IfthePolicyServicenodesarepartofanodegroup,thenodeswithinanodegroupexchangeheartbeat messagestodetectnodefailures.Ifanodefails,oneofitspeersfromthenodegrouplearnsabouttheactive... 
    Session Failover in Policy Service Nodes
WhenaPolicyServicenodethathasactiveURL-redirectedsessionsfails,theendpointsarestuckinan
intermediatestate.EveniftheredirectendpointdetectsthatthePolicyServicenodethatithasbeen
communicatingwithhasfailed,itcannotre-initiateauthorization.
IfthePolicyServicenodesarepartofanodegroup,thenodeswithinanodegroupexchangeheartbeat
messagestodetectnodefailures.Ifanodefails,oneofitspeersfromthenodegrouplearnsabouttheactive...

    Page 88

    Page 88 Automatic Failover in Monitoring Nodes ThetermautomaticfailoverisusedbecausehighavailabilityisnotsupportedonMonitoringnodesinthetrue sense.ForMonitoringnodes,operationauditdataisduplicatedbythePolicyServicenode(s),whichthen sendscopiestoboththeprimaryandsecondaryMonitoringnodes. Monitoringisservedfromtheprimary(active)Monitoringnode.Monitoringdataisonlyservedfromthe secondary(standby)Monitoringnodewhentheactivenodeisdown.Thesecondarymonitoringnodeis read-only. Note Automatic Failover Process... 
    Automatic Failover in Monitoring Nodes
ThetermautomaticfailoverisusedbecausehighavailabilityisnotsupportedonMonitoringnodesinthetrue
sense.ForMonitoringnodes,operationauditdataisduplicatedbythePolicyServicenode(s),whichthen
sendscopiestoboththeprimaryandsecondaryMonitoringnodes.
Monitoringisservedfromtheprimary(active)Monitoringnode.Monitoringdataisonlyservedfromthe
secondary(standby)Monitoringnodewhentheactivenodeisdown.Thesecondarymonitoringnodeis
read-only.
Note
Automatic Failover Process...

    Page 89

    Page 89 •Inanactive-standbyconfigurationofthemonitoringnodes,thePrimaryAdministrationNode(PAN) alwayspointstotheactivemonitoringnodetocollectthemonitoringdata.Aftertheactivemonitoring nodefails,thePANpointstothestandbymonitoringnode.Thefailoverfromtheactivemonitoringnode tothestandbymonitoringnodehappensafteritisdownformorethan5minutes. However,aftertheactivenodefails,thestandbynodedoesnotbecometheactivenode.Incasethe activenodecomesup,theAdministrationnodestartscollectingthemonitoringdataagainfromthe... 
    •Inanactive-standbyconfigurationofthemonitoringnodes,thePrimaryAdministrationNode(PAN)
alwayspointstotheactivemonitoringnodetocollectthemonitoringdata.Aftertheactivemonitoring
nodefails,thePANpointstothestandbymonitoringnode.Thefailoverfromtheactivemonitoringnode
tothestandbymonitoringnodehappensafteritisdownformorethan5minutes.
However,aftertheactivenodefails,thestandbynodedoesnotbecometheactivenode.Incasethe
activenodecomesup,theAdministrationnodestartscollectingthemonitoringdataagainfromthe...

    Page 90

    Page 90 ThefollowinglogsareavailableforpxGridnode: •pxgrid.log—Statechangenotifications. •pxgrid-cm.log—Updatesonpublisher/subscriberanddataexchangeactivitybetweenclientandserver. •pxgrid-controller.log—Displaysthedetailsofclientcapabilities,groups,andclientauthorization. •pxgrid-jabberd.log—Alllogsrelatedtosystemstateandauthentication. •pxgrid-pubsub.log—Informationrelatedtopublisherandsubscriberevents. pxGrid Client and Capability Management... 
    ThefollowinglogsareavailableforpxGridnode:
•pxgrid.log—Statechangenotifications.
•pxgrid-cm.log—Updatesonpublisher/subscriberanddataexchangeactivitybetweenclientandserver.
•pxgrid-controller.log—Displaysthedetailsofclientcapabilities,groups,andclientauthorization.
•pxgrid-jabberd.log—Alllogsrelatedtosystemstateandauthentication.
•pxgrid-pubsub.log—Informationrelatedtopublisherandsubscriberevents.
pxGrid Client and Capability Management...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals