The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco ISE is available on Azure cloud services. To configure and install Cisco ISE on Azure cloud, you must be familiar with Azure cloud features and solutions. Familiarize yourself with these Azure cloud concepts before starting:
Subscriptions and resource groups
Azure Virtual Machines. See Instances, Images, SSH Keys, Tags, and VM Resizing.
You can deploy Cisco ISE on Microsoft Azure using an Azure application or an Azure VM.
There are no differences in cost or Cisco ISE features when you deploy Cisco ISE using an Azure application or an Azure VM.
We recommend using the Azure application for the following advantages it offers in comparison to the Azure VM:
Azure application allows you to easily configure Cisco ISE-specific choices directly through its UI instead of a user-data field as in the case of Azure VM configuration.
At the initial configuration of an Azure application, you can choose an OS disk volume ranging between 300 and 2400 GB. However, during the initial configuration of an Azure VM, you can change the OS disk volume to a fixed set of values provided in the Azure portal.
You must carry out more steps after Cisco ISE installation and launch to reconfigure the virtual machine.
You can directly choose from the specific Azure VM sizes that Cisco ISE supports.
You can configure a static private IP address at the initial configuration.
You can use the Azure VM if:
you do not use the Azure portal UI to deploy Cisco ISE.
you need to use one of the additional settings that are available in the Azure VM configuration workflow.
This is an example of a deployment connected to the Azure cloud.
In addition to these deployment methods, you can also use Cisco Developed Terraform Script to install and automatically create multi-node Cisco ISE deployments on Azure.
 Note |
Do not clone an existing Azure cloud image to create a Cisco ISE instance. |
Cisco ISE can be installed by using one of these Azure VM sizes.
|
Azure VM sizes |
vCPU |
RAM (in GB) |
|---|---|---|
|
Standard_D4s_v4 This instance supports the Cisco ISE evaluation use case. 100 concurrent active endpoints are supported. |
4 |
16 |
|
Standard_D8s_v4 |
8 |
32 |
|
Standard_F16s_v2 |
16 |
32 |
|
Standard_F32s_v2 |
32 |
64 |
|
Standard_D16s_v4 |
16 |
64 |
|
Standard_D32s_v4 |
32 |
128 |
|
Standard_D64s_v4 |
64 |
256 |
Note |
Starting with Cisco ISE release 3.5, Standard_D4s_v4 and Standard_D16s_v4 VMs are not supported. |
The Fsv2-series Azure VM sizes are compute-optimized and are best suited for use as PSNs for compute-intensive tasks and applications.
The Dsv4-series are general purpose Azure VM sizes that are best suited for use as PAN or MnT nodes or both and are intended for data processing tasks and database operations.
If you use a general purpose instance as a PSN, the performance numbers are lower than the performance of a compute-optimized instance as a PSN.
The Standard_D8s_v4 VM size must be used as an extra small PSN only.
For information on the scale and performance data for Azure VM sizes, see the Performance and Scalability Guide for Cisco Identity Services Engine.
These are the known limitations with using Cisco ISE with Microsoft Azure cloud services:
Dual NIC supports only two NICs: Gigabit Ethernet 0 and Gigabit Ethernet 1. To configure a secondary NIC in your Cisco ISE instance, you must first create a network interface object in Azure, power off your Cisco ISE instance, and then attach this network interface object to Cisco ISE.
After you install and launch Cisco ISE on Azure, use the Cisco ISE CLI to manually configure the IP address of the network interface object as the secondary NIC.
The public cloud supports Layer 3 features only. Cisco ISE nodes on Microsoft Azure do not support Cisco ISE functions that depend on Layer 2 capabilities. For example, working with DHCP SPAN profiler probes and CDP protocol functions through the Cisco ISE CLI are functions that are currently not supported.
The Cisco ISE CLI access in Azure requires a secure key pair; password-based authentication is not supported.
If you are using a Private Key (or PEM) file and you lose the file, you will not be able to access the Cisco ISE CLI.
Any integration that uses a password-based authentication method to access Cisco ISE CLI is not supported, for example, Cisco Catalyst Center release 2.1.2 and earlier.
Azure's VPN gateway in Gen 8 cannot be used due to fragmentation. This is a limitation of Azure's first-party gateway.
Cisco ISE deployments on Azure Cloud do not support the Accelerated Networking feature. If you enable this feature in a Cisco ISE deployment, it might cause operations such as node registration and deregistration to fail.
Note |
In Cisco ISE release 3.3, if you configure a VM with a 300 GB disk and then attempt to increase the disk size, you may encounter defect CSCwk20591. To resolve the resulting IMS service issue, restart the service. Once the service has restarted, you can proceed with installing the patch. |
If you create Cisco ISE using the Azure Virtual Machine, Microsoft Azure assigns private IP addresses to VMs by default through DHCP servers.
Before you create a Cisco ISE deployment on Microsoft Azure, you must update the forward and reverse DNS entries with the IP addresses assigned by Microsoft Azure.
Alternatively, after you install Cisco ISE, assign a static IP address to your VM by updating the Network Interface object in Microsoft Azure. To do this:
Stop the VM.
Choose Private IP address settings > Assignment > Static.
Restart the VM.
In the Cisco ISE serial console, assign the IP address to the Gi0 interface.
Restart the Cisco ISE application server.
The Cisco ISE upgrade workflow is not available in a Microsoft Azure environment. Only fresh installations are supported. However, you can carry out backup and restore of configuration data. For information on upgrading hybrid Cisco ISE deployments, see Upgrade Guidelines for Hybrid Deployments.
When you carry out the restore and backup function of configuration data, after the backup operation is complete, first restart Cisco ISE through the CLI. Then, initiate the restore operation from the Cisco ISE GUI. For more information, see the Chapter "Maintain and Monitor" in the Cisco ISE Administrator Guide for your release.
In Azure, the networking virtual network stack drops out-of-order fragments by default without forwarding them to the end virtual machine host. This design aims to address the network security vulnerability FragmentSmack, as documented in Azure and fragmentation.
Cisco ISE deployments on Azure typically use on-premises connectivity modes like Site-to-Site VPN solutions and Azure ExpressRoute, which are prone to fragmentation issues. In such scenarios, Cisco ISE may not receive complete RADIUS packets, leading to authentication failures.
Microsoft cannot enable the option that prevents the dropping of out-of-order fragments on Azure VPN Gateway, Azure ExpressRoute (with FastPath disabled), and Azure vWAN. As a result, out-of-order fragments may not be received and processed properly.
As a workaround, Cisco has validated third-party VPN gateways like Cisco Catalyst 8000V as Azure Virtual Machine to terminate VPN tunnels from on-premises deployment. You must do these configurations for third-party VPN gateways:
Enable ip virtual-reassembly on the third-party gateway. This ensures that even if the received packets are out of order, the third-party VPN gateway can reassemble and send fragmented packets in the right order.
Enable IP forwarding on the inside and outside network interfaces on the Microsoft Azure portal.
Ensure that the routing table in the Microsoft Azure portal is properly configured to allow the necessary virtual networks through the third-party VPN gateway to connect with the on-premises resources.
In addition to third-party VPN gateway configuration, do one of these to ensure proper handling of out-of-order UDP packets:
Choose the regions where Microsoft Azure Cloud has already implemented the fixes: Central Canada (CanadaCentral), Central France (FranceCentral), Central India (CentralIndia), Central Poland (PolandCentral), Central Sweden (SwedenCentral), Central UAE (UAECentral), Central US (uscentral), East Asia (eastasia), East Australia (australiaeast), East Canada (CanadaEast), East Japan (japaneast), East Norway (NorwayEast), East US (eastus), North Central US (northcentralus), North Germany (GermanyNorth), North EU (EUNorth), North Switzerland (SwitzerlandNorth), North UAE (UAENorth), South Africa North (SouthAfricaNorth), South Brazil (brazilsouth), South US (ussouth), South Central US (southcentralus), South East Asia (southeastasia), South East Australia (australiasoutheast), South India (SouthIndia), South UK (uksouth), West Central US (westcentralus), West Central Germany (GermanyWestCentral), West Europe (westeurope), West UK (ukwest), and West US (westus).
Cisco ISE customers should raise a Microsoft Azure support ticket to enable the option to allow out-of-order fragments to reach the destination instead of being dropped.
For other regions, Cisco ISE customers should raise a Microsoft Azure support ticket to update these configurations:
Pin the subscription to ensure all instances within that subscription are deployed on hardware generation 7.
Enable the option to allow out-of-order fragments.
Create an SSH key pair.
Create the virtual network gateways, required subnets, and security groups.
Ensure that the subnet that you want to use with Cisco ISE can reach the internet. In Microsoft Azure, in the Public Route Table window, configure the next hop of the subnet as the internet.
Note |
From Cisco ISE release 3.4, OpenAPI services are enabled automatically. Hence, there's no need to send OpenAPI-related options while launching an instance. |
Follow these steps to create a Cisco ISE instance using an Azure VM.
|
Step 1 |
Go to https://portal.azure.com and log in to your Microsoft Azure account. |
|
Step 2 |
Use the search field at the top of the window to search for Marketplace. |
|
Step 3 |
Use the Search the Marketplace search field to search for Cisco Identity Services Engine (ISE). |
Follow these steps to configure the instance details on the Azure console.
|
Step 1 |
Click Virtual Machine. |
|
Step 2 |
In the new window that is displayed, click Create. |
|
Step 3 |
In the Basics tab, perform these actions: |
Follow these steps to configure OS disk size.
|
Step 1 |
Click Next: Disks. |
||
|
Step 2 |
In the Disks tab, select a disk size from the OS Disk Size drop-down list or retain the default value.
For the rest of the mandatory fields, you can retain the default values. |
Follow these steps to configure a network interface.
|
Step 1 |
Click Next: Networking. |
|
Step 2 |
In the Network Interface area, from the Virtual network and Subnet drop-down lists, select the virtual network and subnet that you have created. Note that a subnet with a public IP address receives online and offline posture feed updates, while a subnet with a private IP address receives only offline posture feed updates. |
Follow these steps to configure the user details.
|
Step 1 |
Click Next: Management. |
|
Step 2 |
In the Management tab, retain the default values for the mandatory fields and click Next: Advanced. |
|
Step 3 |
In the User data area, check the Enable user data check box. In the User data field, enter these details: hostname=<hostname of Cisco ISE> primarynameserver=<IPv4 address> secondarynameserver=<IPv4 address of secondary nameserver> (Applicable to Cisco ISE 3.4 and later releases) tertiarynameserver=<IPv4 address of tertiary nameserver> (Applicable to Cisco ISE 3.4 and later releases) dnsdomain=<example.com> ntpserver=<IPv4 address or FQDN of the NTP server> secondaryntpserver=<IPv4 address or FQDN of the secondary NTP server> (Applicable to Cisco ISE 3.4 and later releases) tertiaryntpserver=<IPv4 address or FQDN of the tertiary NTP server> (Applicable to Cisco ISE 3.4 and later releases) timezone=<timezone> password=<password> ersapi=<yes/no> openapi=<yes/no> pxGrid=<yes/no> pxgrid_cloud=<yes/no>(applicable only to Cisco ISE 3.4 and earlier releases.) From Cisco ISE Release 3.4,
You must use the correct syntax for each of the fields that you configure through the user data entry. The information you enter in the User data field is not validated when it is entered. Using incorrect syntax may cause Cisco ISE services to fail to start when launching the image. These are the guidelines for the configurations that you submit through the user data field:
|
Follow these steps to configure your tags:
|
Step 1 |
Click Next: Tags. |
|
Step 2 |
To create name-value pairs that allow you to categorize and consolidate multiple resources and resource groups, enter values in the Name and Value fields. |
Follow these steps to review the configurations you have created so far and to create a Cisco ISE instance.
|
Step 1 |
Click Next: Review + Create. |
|
Step 2 |
Review the information that you have provided so far and click Create. The Deployment is in progress window is displayed. It takes about 30 minutes for the Cisco ISE instance to be created and available for use. The Cisco ISE VM instance is displayed in the Virtual Machines window (use the main search field to find the window). |
Note |
This section is applicable only if the disk size of your Cisco ISE VM is 300 GB. If you have chosen any other disk size, then these steps are not applicable. |
Due to Microsoft Azure default settings, the Cisco ISE VM is configured with only 300 GB disk size. Cisco ISE nodes typically require more than 300 GB disk size. You might see the Insufficient Virtual Memory alarm when you first launch Cisco ISE from Microsoft Azure.
After you create the Cisco ISE VM, log in to the Cisco ISE administration portal to verify that Cisco ISE is set up correctly. Then, in the Microsoft Azure portal, carry out these steps in the Virtual Machines window to edit the disk size:
|
Step 1 |
Stop the Cisco ISE instance. |
|
Step 2 |
Click Disk in the left pane, and click the disk that you are using with Cisco ISE. |
|
Step 3 |
Click Size + performance in the left pane. |
|
Step 4 |
In the Custom disk size field, enter the disk size you want in GiB. |
Before creating a Cisco ISE instance, create the Azure resources that you need, such as Resource Groups, Virtual Networks, Subnets, SSH keys, and so on.
Note |
From Cisco ISE release 3.4, OpenAPI services are enabled automatically. Therefore, there is no need to send OpenAPI-related options while launching an instance. |
Follow these steps to create your Cisco ISE instance using the Azure application.
|
Step 1 |
Go to https://portal.azure.com and log in to your Microsoft Azure account. |
|
Step 2 |
Use the search field at the top of the window to search for Marketplace. |
|
Step 3 |
Use the Search the Marketplace search field to search for Cisco Identity Services Engine (ISE). |
Follow these steps to add the basic configuration details for the Cisco ISE instance.
|
Step 1 |
Click Azure Application. |
|
Step 2 |
In the new window that is displayed, click Create. |
|
Step 3 |
In the Basics tab: |
Follow these steps to configure the network settings.
|
Step 1 |
Click Next. |
||||
|
Step 2 |
In the Network Settings tab, enter these details:
From Cisco ISE release 3.4,
|
Follow these steps to configure the services.
|
In the Services tab: |
Follow these steps to add the user details.
|
Step 1 |
Click Next to go to the User Details tab. |
|
Step 2 |
In the User Details tab, enter the password in the Enter Password for iseadmin and Confirm Password fields. The password must comply with the Cisco ISE password policy and contain a maximum of 25 characters. |
Follow these steps to review your configurations and create a Cisco ISE instance.
|
Step 1 |
In the Review + create tab, review the details of the instance. |
|
Step 2 |
Click Create. The Overview window displays the progress of the instance creation. |
|
Step 3 |
Use the search bar and navigate to the Virtual Machines window. Your Cisco ISE instance is listed in the Virtual Machines window. It takes about 30 minutes to create a Cisco ISE instance. |
For information about the postinstallation tasks that you must carry out after creating a Cisco ISE instance, see the chapter "Installation Verification and Postinstallation Tasks" in the Cisco ISE Installation Guide for your release.
This section provides compatibility information that is unique to Cisco ISE on Azure cloud. For general compatibility details for Cisco ISE, see the Cisco Identity Services Engine Network Component Compatibility guide for your release.
You can integrate the Azure Load Balancer with Cisco ISE for load balancing RADIUS traffic. However, the following caveats are applicable:
The Change of Authorization (CoA) feature is supported only if client IP preservation is enabled when you configure Session Persistence property in the load balancing rule in the Azure portal.
Unequal load balancing might occur as the Azure Load Balancer supports only source IP affinity and does not support calling station ID-based sticky sessions.
Traffic can be sent to a PSN even if the RADIUS service is not active on the node, because the Azure Load Balancer does not support RADIUS-based health checks.
For more information on the Azure Load Balancer, see What is Azure Load Balancer?.
You can integrate the Azure Load Balancer with Cisco ISE for load balancing TACACS traffic. However, traffic might be sent to a Cisco ISE PSN even if the TACACS service is not active on the node, because the Azure Load Balancer does not support health checks based on TACACS+ services.
You can reset or recover your Cisco ISE VM password using these tasks. Select the necessary tasks and follow the detailed steps.
Note |
The Help > Reset Password option in the Azure portal is not supported for Cisco ISE Azure VM. |
|
Step 1 |
Log in to Azure Cloud and choose the resource group that contains your Cisco ISE virtual machine. |
|
Step 2 |
From the list of resources, click the Cisco ISE instance for which you want to reset the password. |
|
Step 3 |
From the left-side menu, in the Help section, click Serial console. The Azure Cloud Shell is displayed in a new window. If the screen is black, press Enter to view the login prompt. If you view an error message here, you may have to enable boot diagnostics by carrying out these steps:
|
|
Step 4 |
Log in to the serial console. To log in to the serial console, you must use the original password that was configured at the installation of the instance. Use the application reset-passwd ise iseadmin command to configure a new GUI password for the iseadmin account. |
The existing key pair that was created at the time of Cisco ISE instance configuration is not replaced by the new public key that you create.
|
Step 1 |
Create a new public key in Azure Cloud. See Generate and store SSH keys in the Azure portal. |
|
Step 2 |
Log in to the Azure Cloud serial console. |
|
Step 3 |
To create a new repository to save the public key, see Azure Repos documentation. If you already have a repository that is accessible through the CLI, skip to step 4. |
|
Step 4 |
To import the new public key, use this command: crypto key import <public key filename> repository <repository name> When the import is complete, you can log in to Cisco ISE via SSH using the new public key. |
Feedback