Menu Close

ISE PSN Got Stuck at Step 4

I came across a couple of issues during an ISE upgrade project I was working on recently which are not really common and you would rarely see them. These issues were, an ISE PSN got stuck at step 4 during the upgrade process, and a PAN went out of synch. This project was to upgrade a distributed ISE cube with six nodes from version 2.2 to 2.4 and all appliances were virtual.

Redirect ACL With C9300 Switches

In this post I will share with you one caveat and its fix with redirect ACL with C9300 switches. In the last few months I was working on a project for a medium size customer. The main requirements were to implement Firepower IPS, dot1x, pxGrid, AnyConnect client provisioning and posture assessment for both VPN and local clients. The customer has a few sites spread across the globe, and all of them are connected through VPLS. There are different network devices that we were working on and in one of the sites we had a stack of Cisco C9300 switches. The customer has ISE deployed for identity management.

FMC External Authentication with RADIUS

In this post, I am going to show you how to set up FMC external authentication with RADIUS. Why we would need that?!, simply put, to have a scalable solution in our environment that will allow us to manage accesses to our FMC appliance. Even if we configure the FMC with an external authentication server, we do still have the local admin account enabled that we can use in case the external authentication server is down.

Privilege Level 15 with Cisco ISE

In this post, I’m going to show you how to assign privilege level 15 with Cisco ISE through RADIUS. We know Cisco ISE amazingly supports network devices administration through TACACS+ protocol which allows granting different access levels and managing what command sets could be run in each level. However, this feature requires an additional license called Device Administration to be installed on ISE.

Adding a Secondary ISE Node

Depending on ISE deployment if small, medium or large, you might need to add additional nodes with different Personas. The Persona in ISE cube is just a fancy name to define what services would be running on a node. The main three Personas are Administration (PAN), Policy Service (PSN) and Monitoring and Troubleshooting (MnT). The primary/secondary concept exists only with PAN and MnT Personas, however, this is not applicable with PSN Persona. The maximum number of PANs and MnTs in any ISE cube you can get is two, however, you can have plenty of PSNs.

CLI Administrator in Cisco ISE

In this post I’m going to show you how to configure Windows AD as the external authentication server for Identity Services Engine (ISE) CLI access. When you deploy ISE for the first time, you use the command “setup” at the login prompt to start the bootstrap process which will take you through a list of required steps to complete the appliance initial configuration. Once that is completed, the appliance will be ready for the next level of configuration which will be done through the GUI. One of the required steps during the bootstrap process is to configure the CLI admin account. You can choose to create a new admin account or you can accept the default account which is “admin”. This default account cannot be deleted, it can be disabled or downgraded to a read-only account though.

>
Scroll To Top