Cisco ISE-PIC Install and Upgrade Overview

This guide describes how to:

The rest of this chapter provides an overview of the ISE-PIC terminology and infrastructure. For additional information and detail about configuring and using ISE-PIC, refer to Identity Services Engine Passive Identity Connector (ISE-PIC) Administrator Guide.

Cisco ISE-PIC Terminology

This guide uses the following terms when discussing Cisco ISE-PIC:

Term

Definition

GUI

Graphic user interface. GUI refers to any of the screens and tabs in the software installation of ISE-PIC.

NIC

Network interface card.

Node

An individual physical or virtual Cisco ISE-PIC appliance.

PAN

The main node in your ISE-PIC deployment is the primary administration node (PAN) and this is the node from which you can perform all available actions. In ISE-PIC, you can install up to two nodes. If you install the second node, it is referred to as the secondary administration node (secondary PAN).

Parser

The ISE-PIC backend component that receives syslog messages and breaks that input up into parts that can then be managed, mapped and published to ISE-PIC. The parser goes through each line of information of a syslog message as it arrives, looking for key information. For example, if a parser is configured to look for “mac=”, the parser then parses each line while looking for that phrase. The parser is set up to then communicate the defined information to ISE once it has found the key phrase that was configured.

Primary node

The main node in your ISE-PIC deployment is the primary administration node (PAN) and this is the node from which you can perform all available actions. In ISE-PIC, you can install up to two nodes. If you install the second node, it is referred to as the secondary administration node (secondary PAN).

Probe

Probes are mechanisms that collect data from a given source. Probe is a generic term that describes any mechanism, but does not specifically describe how the data is collected or what is collected. For example, an Active Directory (AD) probe helps ISE-PIC collect data from AD while a syslog probe collects data from a parser that reads syslog messages.

Provider

Clients or sources from which ISE-PIC receives, maps and publishes user identity information.

Secondary node

The main node in your ISE-PIC deployment is the primary administration node (PAN) and this is the node from which you can perform all available actions. In ISE-PIC, you can install up to two nodes. If you install the second node, it is referred to as the secondary administration node (secondary PAN).

Subscriber

Systems that subscribe to the ISE-PIC services in order to receive user identity information.

Cisco ISE-PIC Architecture, Deployments, and Nodes

Cisco ISE-PIC architecture includes the following components:

  • Nodes—in a Cisco ISE-PIC deployment, up to two nodes can be configured as described below

  • Network resources

  • Endpoints

A deployment that has a single Cisco ISE-PIC node is called a standalone deployment.

A deployment that has two Cisco ISE-PIC nodes is called a high availability deployment, where one node functions as the primary appliance (the primary administration node, or the PAN). A high availability deployment improves service availability.

The PAN provides all the configuration capabilities that are required for this network model, and the secondary Cisco ISE node (the secondary PAN) functions in a backup role. The secondary node supports the primary node and resumes functionality whenever connectivity is lost with the primary node.

Cisco ISE-PIC synchronizes or replicates all of the content that resides on the primary Cisco ISE-PIC node with the secondary Cisco ISE-PIC node in order to ensure that your secondary node is current with the state of your primary node (and therefore can be used as a backup).

ISE Community Resource

For information about deployment and scaling, see ISE Deployment Journey.


Note

From Cisco ISE Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.

pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.

Prerequisites and Virtual Appliance Requirements

ISE-PIC supports only virtual machines. Virtual machines should be based on the Cisco SNS hardware appliance specifications.

Additional prerequisites and system requirements for installation of Cisco ISE-PIC are as outlined in the following table.

Table 1. Virtual Appliance Requirements and Prerequisites

Type

Description

Virtual Appliance

Virtual machine requirements, prerequisites, and associated procedures for Cisco ISE-PIC node are same as that of normal Cisco ISE node.

Cisco ISE-PIC supports Small, Medium, and Large deployment models similar to Cisco ISE. To achieve optimal performance, ensure that you assign the equivalent resource reservations when you manually install Cisco ISE-PIC using the ISO image.

Cisco ISE-PIC can be installed on the following virtual platforms:

  • VMware virtual machine

  • Linux KVM

  • Microsoft Hyper-V

  • Nutanix AHV

For more information about the virtual machine requirements, see Cisco Identity Services Engine Installation Guide.

It is essential that you follow the prerequisite configuration and setup procedures outlined in the Cisco Identity Services Engine Installation Guide to ensure proper installation of ISE or ISE-PIC.

Software

There are no special operating system or software requirements. The ISO images for ISE-PIC include all necessary software items.

ISE Community Resource

For information about deployment and scaling, see ISE Deployment Journey.