Cisco ISE on Cloud

Cisco ISE on cloud

Cisco Identity Services Engine (ISE) is now available natively from cloud service providers, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an Infrastructure as a Service solution, helping you to rapidly deploy network accesses and control services anywhere.

You can extend the Cisco ISE deployments in your on-premises network securely onto

  • Amazon Web Services (AWS) from Cisco ISE release 3.1 and later releases

  • Azure Cloud Services (Microsoft Azure) from Cisco ISE release 3.2 and later releases, and

  • Oracle Cloud Infrastructure (OCI) from Cisco ISE release 3.2 and later releases.

Here are some common user data rules to keep in mind for the three public cloud providers: AWS, Azure, and OCI:
  • You must not enclose any attributes or parameters (whether mandatory or optional) for user data in single or double quotes. Here are some examples of invalid and valid entries:

    Invalid entry

    Valid entry

    hostname="i34a"

    hostname=i34a

    primarynameserver="9.9.9.9"

    primarynameserver=9.9.9.9

    dnsdomain="example.com"

    dnsdomain=example.com

    primaryntpserver="north-america.pool.ntp.org"

    primaryntpserver=north-america.pool.ntp.org

  • Starting Cisco ISE release 3.3 onwards, validation outputs are displayed in the console and can only be viewed if the serial console is open at the time the outputs are generated.

Login credentials for Cisco ISE instances launched through cloud platforms

The username and password for any Cisco ISE that is launched through cloud-native images or instances that are hosted by the supported cloud platforms must be secure.

Usernames for Cisco ISE on cloud

The default username for Cisco ISE instances that are launched through cloud platforms is iseadmin. Even if you enter a different username in the user data, the Cisco ISE instance is created with the username iseadmin.


Remember

For Cisco ISE release 3.1 instances that are launched through AWS, the default username is admin.

Passwords for Cisco ISE on cloud

In all cloud platforms, the password that you configure when setting up an instance is stored as plaintext. However, a plaintext password can present a security risk. So, for any Cisco ISE that is launched from a cloud platform, you must reset the login password when you first access the Cisco ISE GUI. Then, you must also update your API-based automation scripts with the updated password to avoid any errors.

Cisco ISE licensing on cloud platforms

Cisco ISE leverages the Bring Your Own License (BYOL) solution that is available on cloud platforms. Use the Common VM License to enable Cisco ISE on cloud platforms, in addition to the other Cisco ISE licenses that you need for the Cisco ISE features you want to use. See the Cisco ISE Licensing Guide for information on Cisco ISE licenses.

Upgrade Cisco ISE hybrid deployments

Cisco ISE upgrade workflow is not available in Cisco ISE on AWS, Microsoft Azure, or OCI. Only fresh installs of Cisco ISE are supported. However, you can carry out backup and restore of configuration data. You can upgrade Cisco ISE hybrid deployments where the Primary Administration Node (PAN) is installed either on cloud or on premises.

Upgrade hybrid deployments with PAN installed on premises

Follow these steps to upgrade a hybrid deployment in which the PAN is installed on premises, and any or some of the secondary nodes are installed on the cloud.

Procedure

Step 1

Deregister the secondary nodes that are installed on the cloud from the Cisco ISE deployment.

If all the secondary nodes are installed on the cloud, this could cause a downtime.

Step 2

Upgrade the on-prem deployment to a higher release.

For more information on this, see the section "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Journey for your release.

Step 3

Install the required number of standalone Cisco ISE nodes on the cloud with the higher release.

You must install and configure the nodes with the same IP addresses to avoid configuration changes on the NADs. For more information on the installation process, see the Cisco Identity Services Engine Installation Guide for your release.

Step 4

Register these standalone nodes to the upgraded on premises deployment.

You need to import the system certificates to the newly deployed nodes in Cisco ISE. For more information about how to import system certificates to a Cisco ISE node, see the "Import a System Certificate" section in the "Basic Setup" chapter of the Cisco Identity Services Engine Administrator Guide for your release.

The upgrade of a hybrid Cisco ISE deployment in which the PAN is installed on premises is complete.

Upgrade hybrid deployments with PAN installed on cloud

Follow these steps to upgrade a hybrid deployment in which the PAN is installed on cloud.

Procedure

Step 1

Backup Cisco ISE configuration settings and operational logs from the existing deployment.

Step 2

Shut down all the nodes in the deployment.

Step 3

Install the required number of standalone Cisco ISE nodes on cloud and on premises with the higher release.

You must install and configure the nodes with the same IP addresses to avoid configuration changes on the NADs. For more information on the installation process, see the Cisco Identity Services Engine Installation Guide for your release.

Step 4

Restore Cisco ISE configuration from the backup data. For more information, see the "Backup and Restore Upgrade Process" section in the Cisco Identity Services Engine Upgrade Journey for your release.

Step 5

Register all the nodes to the upgraded cloud deployment.
The upgrade of a hybrid Cisco ISE deployment in which the PAN is installed on cloud is complete.