Cisco ISE on Cloud

Overview of Cisco ISE on Cloud

Cisco Identity Services Engine (ISE) is now available natively from cloud service providers, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an Infrastructure as a Service solution, helping you to rapidly deploy network accesses and control services anywhere.

You can extend the Cisco ISE policies in your home network to new remote deployments securely on the following cloud platforms:

  • Amazon Web Services: Cisco ISE Release 3.1 and later

  • Azure Cloud Services: Cisco ISE Release 3.2 and later

  • Oracle Cloud Infrastructure: Cisco ISE Release 3.2 and later

For information on the performance and scalability of Cisco ISE deployments on cloud platforms, see the section "Cisco ISE on Cloud" in the Performance and Scalability Guide for Cisco Identity Services Engine.

For more information on Cisco ISE, see Cisco Identity Services Engine End-User Documentation.

For any Cisco ISE that is launched through cloud-native images or instances that are hosted by the supported cloud platforms:

  • In all cloud platforms, the password that you configure when setting up an instance is stored as plaintext. However, a plaintext password can present a security risk. So, for any Cisco ISE that is launched from a cloud platform, you must reset the login password when you first access the Cisco ISE GUI. Then, you must also update your API-based automation scripts with the updated password to avoid any errors.

  • The default username for Cisco ISE instances that are launched through cloud platforms is iseadmin. Even if you enter a different username in the user data, the Cisco ISE instance is created with the username iseadmin.


    Note

    For Cisco ISE Release 3.1 instances that are launched through AWS, the default username is admin.

Cisco ISE Licensing on Cloud Platforms

Cisco ISE leverages the Bring Your Own License (BYOL) solution that is available on cloud platforms. Use the Common VM License to enable Cisco ISE on cloud platforms, in addition to the other Cisco ISE licenses that you need for the Cisco ISE features you want to use. See the Cisco ISE Ordering Guide for information on Cisco ISE licenses.

Upgrade Guidelines for Hybrid Deployments

Cisco ISE upgrade workflow is not available in Cisco ISE on AWS, Microsoft Azure, or OCI. Only fresh installs are supported. However, you can carry out backup and restore of configuration data.

Upgrade Hybrid Deployments with PAN Installed On-Prem

To upgrade a hybrid deployment in which the Primary Administration Node (PAN) is installed on-prem, and any or some of the secondary nodes are installed on the cloud:

Procedure

Step 1

Deregister the secondary nodes that are installed on the cloud from the Cisco ISE deployment.

If all the secondary nodes are installed on the cloud, this could cause a downtime.

Step 2

Upgrade the on-prem deployment to a higher release.

For more information on this, see the section "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Journey for your release.

Step 3

Install required number of standalone Cisco ISE nodes on the cloud with the higher release.

You must install and configure the nodes with the same IP addresses to avoid configuration changes on the NADs. For more information on the installation process, see the Cisco Identity Services Engine Installation Guide for your release.

Step 4

Register these standalone nodes to the upgraded on-prem deployment.

You need to import the system certificates to the newly deployed nodes in Cisco ISE. For more information about how to import system certficates to a Cisco ISE node, see the "Import a System Certificate" section in the "Basic Setup" chapter of the Cisco Identity Services Engine Administrator Guide for your release.

Upgrade Hybrid Deployments with PAN Installed on the Cloud

To upgrade a hybrid deployment in which the PAN is installed on the cloud:

Procedure

Step 1

Take a backup of Cisco ISE configuration settings and operational logs from the existing deployment.

Step 2

Shut down all the nodes in the deployment.

Step 3

Install required number of standalone Cisco ISE nodes on the cloud and on-prem with the higher release.

You must install and configure the nodes with the same IP addresses to avoid configuration changes on the NADs. For more information on the installation process, see the Cisco Identity Services Engine Installation Guide for your release.

Step 4

Restore Cisco ISE configuration from the backup data. For more information, see the "Backup and Restore Upgrade Process" section in the Cisco Identity Services Engine Upgrade Journey for your release.

Step 5

Join all nodes back into the deployment.

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.

Documentation Feedback

To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.