Basic Information
|
Time Sync
Server
|
Enter the IP
address of the primary, secondary, and tertiary time sync server.
|
DNS Server
|
Enter the IP
address of the primary, secondary, and tertiary DNS server.
|
Trusted
Interface (to protected network)
|
Enter the
Management VLAN ID (all the other information is automatically populated for
these options)
|
Untrusted
Interface (to management network)
|
Enter the IP
Address, Subnet Mask, Default Gateway, and Management VLAN ID for the untrusted
interface.
|
Deployment Modes
|
Routed Mode
|
Choose this
option for this node to provide router (hop in the wire) functionality for
Inline Posture.
|
Bridged Mode
|
Choose this
option for this node to provide VLAN mapping functionality for the subnets to
be managed by Inline Posture. After checking the Bridged Mode check box, enter
the Untrusted Network and Trusted Network VLAN ID information.For VLAN mapping,
you should also do the following:
-
Add a
mapping for management traffic by entering the appropriate VLAN ID for the
trusted and untrusted networks.
-
Add a
mapping for client traffic by entering the appropriate VLAN ID for the trusted
and untrusted networks.
|
Filters
|
MAC Address
|
Enter the
MAC Address of the device on which to avoid policies. For security reasons, we
recommend that you always include the IP address along with the MAC address in
a MAC filter entry. Do not configure the MAC address in a MAC filter for a
directly connected ASA VPN device without also entering the IP address. Without
the addition of the optional IP address, VPN clients are allowed to bypass
policy enforcement. This bypass happens because the VPN is a Layer 3 hop for
clients, and the device uses its own MAC address as the source address to send
packets along the network toward the Inline Posture node.
|
IP Address
|
Enter the IP
Address of the device on which to avoid policies.
|
Description
|
Enter a
description of the MAC Filter.
|
Subnet
Address
|
Enter the
subnet Address of the device on which to avoid policies.
|
Subnet Mask
|
Enter the
subnet Mask of the device on which to avoid policies
|
Description
|
Enter a
description of the Subnet Filter.
|
RADIUS Config
|
Primary
Server
|
Enter the IP
address, shared secret, timeout in seconds, and number of retries for the
primary RADIUS server, usually the Policy Service node.
The timeout
and retry values should be based on the timeout and retries that you define on
the client such as WLC or ASA. We recommend the following: (IPN RADIUS Config
Timeout * No. of Retries) < (Client device's Timeout * No. of Retries). For
example, on the primary and secondary servers, you can configure the timeout to
be 5 seconds and the number of retries to be 1, and on the client, you can
configure the timeout to be 5 seconds and the number of retries to be 3. So the
timeout * no. of retries configured on the IPN server (5*1=5) is lesser than
the value configured on the client (5*3=15)
|
Secondary
Server
|
Enter the IP
address, shared secret, timeout in seconds, and number of retries for the
secondary RADIUS server.
The timeout
and retry values should be based on the timeout and retries that you define on
the client such as WLC or ASA. We recommend the following: (IPN RADIUS Config
Timeout * No. of Retries) < (Client device's Timeout * No. of Retries). For
example, on the primary and secondary servers, you can configure the timeout to
be 5 seconds and the number of retries to be 1, and on the client, you can
configure the timeout to be 5 seconds and the number of retries to be 3. So the
timeout * no. of retries configured on the IPN server (5*1=5) is lesser than
the value configured on the client (5*3=15)
|
Client
|
Enter the IP
address, shared secret, timeout in seconds, and number of retries for the
device that requests access on behalf of clients, WLC or VPN.
Note
| WLC
roaming is not supported in Cisco ISE, Release 1.1.1.
|
|
Enable
KeyWrap
|
Check this
check box and specify the following Authentication Settings:
Deployments that utilize wireless LAN technology require
secure transmission from a RADIUS server to a network access point. KeyWrap
attributes provide stronger protection and more flexibility.
|
Failover
Displays
only if you have deployed an Inline Posture high availability pair.
|
HA Peer Node
|
Choose the
HA
Peer Node
from the drop-down list. A list of eligible
standalone Inline Posture nodes appear from which to choose.The secondary node
syncs to the primary node.
-
Replication Status—(Only appears for secondary nodes) Indicates
whether incremental replication from the primary node to the secondary node is
complete or not. You will see one of the following states:
-
Failed—Incremental database replication has failed.
-
In-Progress—Incremental database replication is currently in
progress.
-
Complete—Incremental database replication is complete.Not
Applicable—Displayed if the Cisco ISE node is a standalone or primary node.
-
Not
Applicable—Displayed if the Cisco ISE node is a standalone or primary node.
-
Sync
Status—(Only appears for secondary Cisco ISE nodes) Indicates whether
replication from the primary node to the secondary node is complete or not. A
replication happens when a node is registered as secondary or when you click
Syncup to force a replication. You will see one of the following states:
-
Sync
Completed—Full database replication is complete.
-
Sync
in Progress—Database replication is currently in progress.
-
Out
of Sync—Database was down when the secondary node was registered with the
primary Cisco ISE node.
-
Not
Applicable—Displayed if the Cisco ISE node is a standalone node.
|
Service IP
(Trusted)
|
Enter the
Trusted Service IP address (eth0) for the traffic interface of the primary
node.
|
Service IP
(Untrusted)
|
Enter the
Untrusted Service IP address (eth1) for the traffic interface of the primary
node.In the bridged mode, the service IP address is the same for both trusted
and untrusted networks.
|
Link Detect
(Trusted)
|
Enter the IP
address (optional, but recommended as a best practice) for the Link-Detect
system for the trusted and untrusted sides. This address is usually the IP
address of the Policy Service node, because both the active and standby nodes
should always be able to reach the Policy Service node.
|
Link
Detect (Untrusted)
|
Enter the
IP address for the Link-Detect system for the untrusted side.
|
Link
Detect Timeout
|
Enter a
Link-Detect Timeout value. The default value of 30 seconds is recommended.
However, there is no maximum value.Link-detect ensures that the Inline Posture
node maintains communication with the Policy Service node. If the active node
does not receive notification (ping) from the Policy Service node at the
specified intervals, the active node fails over to the standby node.
|
Heart Beat
Timeout
|
Enter a
Heart Beat Timeout value. The default value of 30 seconds is recommended.
However, there is no maximum value.The heartbeat is a message that is sent
between the two Inline Posture nodes at specified intervals. The heartbeat
happens on eth2 and eth3 interfaces. If the heartbeat stops or does not receive
a response in the allotted time, failover occurs.
|
Syncup
Peer Node
|
If the
sync status for any secondary node is out of sync, click Syncup Peer Node to
force a full database replication.
Note
| You
must use the Syncup option to force a full replication if the Sync Status is
Out of Sync or the Replication Status is Failed.
|
|