Cisco Identity Services Engine on AWS

Partner Solution Deployment Guide

QS

November 2022
Sudhanshu Sharma, Venkatesh Sivakumar, Divya Anand, Hsing-Tsu Lai, Prashanth R, Hosuk Won, Cisco Systems Inc.
Muffadal Quettawala, AWS Partner team
Vinod Shukla, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Cisco Systems Inc. in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This Partner Solution deploys Cisco Identity Services Engine on the AWS Cloud. This deployment guide covers the steps necessary to deploy the Partner Solution. For more advanced information on the product, troubleshooting, or additional functionality, see the Cisco Identity Services Engine on AWS Operational guide.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solutions General Information Guide.

This Partner Solution comes with a 90-day evaluation license for Cisco ISE. To use Cisco ISE for more than 90 days, you must purchase the following:

  • A virtual machine (VM) license for each Cisco ISE instance.

  • Endpoint licenses, depending on the feature level required for the intended number of endpoints.

For more information, see Cisco Identity Services Engine Ordering Guide.

Architecture

Deploying this Partner Solution with default parameters builds the following Cisco ISE environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Cisco ISE on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • A highly available architecture that spans two Availability Zones.*

  • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets, managed NAT gateways for outbound internet access for resources in the private subnets.*

  • In the private subnets:*

    • One Cisco ISE primary and one Cisco ISE secondary node deployed to Amazon Elastic Compute Cloud (Amazon EC2) instances.

    • A Network Load Balancer attached to the private subnets. The load balancer distributes Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) requests among Cisco ISE nodes.

  • Amazon Route 53 for Domain Name Service (DNS) resolution between Cisco ISE instances.

  • AWS Lambda for health checks, deployment, and failover of Cisco ISE instances.

  • AWS Step Functions for state machines to deploy and manage failover of Cisco ISE instances.

  • AWS Systems Manager for storing state information about Cisco ISE instances.

  • Amazon CloudWatch for logging and generating events about Cisco ISE instances.

  • Amazon EventBridge for rules to invoke Step Functions state machines.

  • Amazon Simple Notification Service (Amazon SNS) to manage subscriptions to deployment, health check, and failover email notifications.

* The template that deploys this Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

For more information about deployment and failover state machines and state persistence using Parameter Store, refer to the Cisco ISE on AWS Operational Guide.

Deployment options

This Partner Solution provides the following deployment options:

  • Deploy Cisco ISE into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Cisco ISE into this new VPC.

  • Deploy Cisco ISE into an existing VPC. This option provisions Cisco ISE in your existing AWS infrastructure. This option requires the existing VPC to have a minimum of two private subnets and two Availability Zones. The existing VPC should have outbound internet access or VPC endpoints to Amazon S3, Amazon SNS, and Systems Manager, and access within the subnets. The existing VPC must have both DNS attributes enableDnsHostnames and enableDnsSupport enabled. For more information, refer to DNS attributes in your VPC.

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Cisco ISE settings.

Predeployment steps

  • In the AWS Marketplace, subscribe to the Cisco Identity Services Engine AMI.

  • Create one Amazon EC2 key pair or ensure that at least one exists in your AWS account in the Region where you plan to deploy Cisco ISE. Make note of the key pair name. For more information, refer to Creating an EC2 key pair.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 60 to 90 minutes to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Cisco Identity Services Engine deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

After deployment, you must complete the following steps.

Step 1: Confirm Amazon SNS subscription

This Partner Solution configures a subscription to an SNS topic called NotifyAdminTopic. During deployment, you specify an email address to receive notifications in the EmailSubscription template parameter. After deployment, Amazon SNS sends an email with the subject AWS Notification - Subscription Confirmation to the specified address. To confirm the subscription, choose Confirm subscription in the email.

Step 2: Enable maintenance mode

Before continuing with Steps 2–7, enable maintenance mode to avoid false alarms and accidentally invoking PAN failover.

  1. Open the Systems Manager console.

  2. On the top toolbar, choose AWS Region where the Partner Solution is deployed.

  3. In the navigation pane, choose Parameter Store.

  4. Choose the Maintenance parameter.

  5. Choose Edit.

  6. On the Edit parameter page, for Value, enter ENABLED.

  7. Choose Save changes.

After completing Steps 2–7, disable maintenance mode.

Step 3: Change the Cisco ISE admin password

Cisco ISE 3.2 requires you to reset the admin password after initial setup. After deployment, change the admin password in the Cisco ISE console. For more information, refer to Administrative Access to Cisco ISE.

For AWS deployments, initial user names for Cisco ISE 3.1 and 3.2+ are admin and iseadmin, respectively.

Step 4: Update the admin password in the Systems Manager console

AWS CloudFormation does not support defining template parameters as SecureString Systems Manager parameter types. After changing the Cisco ISE admin password, update the ADMIN_PASSWORD parameter in Parameter Store with the new password.

  1. Open the Systems Manager console.

  2. On the top toolbar, choose AWS Region where the Partner Solution is deployed.

  3. In the navigation pane, choose Parameter Store.

  4. Choose the ADMIN_PASSWORD parameter.

  5. Choose Edit.

  6. On the Edit parameter page, for Value, enter the Cisco ISE admin password.

  7. Choose Save changes.

You can also edit the parameter using the AWS Command Line Interface (AWS CLI). For more information, refer to Put-parameter.

To conform the principle of least privilege, do the following:

  1. Create a new Cisco ISE admin in the Cisco ISE console

  2. Assign the new admin to the admin group ERS_ADMIN.

  3. Update the values of the SSM parameters ADMIN_USERNAME and ADMIN_PASSWORD with the new admin credentials.

Step 5: Enable Amazon API Gateway for the secondary Cisco ISE node

To use AWS Lambda for PAN failover, enable API Gateway for the secondary ISE node. For more information, refer to Cisco ISE API Gateway.

Step 6: Install the latest ISE release patch

Update the Cisco ISE nodes with the latest Cisco ISE patch release. For more information, refer to Release Notes.

Step 7: Backup Cisco ISE internal CA chains

To prepare the SPAN to issue and manage certificates in the event of failover, complete the following steps:

  1. Export Cisco ISE CA Certificates and Keys from the primary ISE node.

  2. Import Cisco ISE CA Certificates and Keys into the secondary ISE node.

Step 8: Disable maintenance mode

After completing Steps 1-7, disable maintenance mode by resetting the Maintenance parameter in Systems Manager to ENABLED.

Before performing maintenance in the future, ensure that you repeat the instructions in Step 2 to enable maintenance mode. After maintenance, ensure that you reset the Maintenance parameter to DISABLED.

Resources

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solutions General Information Guide and Troubleshooting CloudFormation.

Refer to the following resources for help with these subjects:

I encountered a "CREATE_FAILED" error when I launched the Partner Solution.

If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack state is retained, and the instance keeps running so that you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

After disabling Rollback on faiure, I encountered a "CREATE_FAILED" error on "DeploymentWaitCondition"

DeploymentWaitCondition-timeout
Figure 2. CREATE_FAILED on DeploymentWaitCondition.

  1. Open the Step Functions console.

  2. On the top toolbar, choose AWS Region where the Partner Solution is deployed.

  3. In the navigation pane, choose State machines.

  4. Choose the DeploymentStateMachine state machine.

    DeploymentStateMachine-Failed-A
    Figure 3. DeploymentStateMachine with failed execution.

  5. On the DeploymentStateMachine page, on the Executions tab, choose the failed execution.

    DeploymentStateMachine-Failed-B
    Figure 4. Failed execution.

  6. On the Execution page, for the failed event, choose Logs.

  7. In the CloudWatch log group, investigate the log stream with a last event time around the time of the failed event.

I encountered a failed event in the deployment state machine at "Check ISE status" or "If ISE is up and running"

Networking issues can cause failed events on "Check ISE status" or "If ISE is up and running". In your existing VPC, verify the following:

  • Both DNS attributes enableDnsHostnames and enableDnsSupport are enabled. For more information, refer to DNS attributes in your VPC.

  • The private subnets have internet access or VPC endpoints to reach AWS services such as Amazon S3, Systems Manager, and Amazon SNS.

For your reference, the following are examples of expected log events when Check ISE status and If ISE is up and running run without errors.

  • Log events when neither Cisco ISE node is ready:

START RequestId: 1927bbcc-dd60-48b6-97cc-d2ca936a2114 Version: $LATEST
[INFO]	2022-10-09T03:44:08.459Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	Found credentials in environment variables.
[INFO]	2022-10-09T03:44:09.817Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	Installed ISE Instance IPs are:
 PPAN - 10.7.1.138 , SPAN - 10.7.2.243
[INFO]	2022-10-09T03:44:09.817Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	#Setting SSM parameters...
[INFO]	2022-10-09T03:44:09.973Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	#Retriving SSM parameters...
[INFO]	2022-10-09T03:44:10.148Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	Primmary Polcy Administration node ip : 10.7.1.138
[INFO]	2022-10-09T03:44:10.148Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	Secondary Polcy Administration node ip : 10.7.2.243
[INFO]	2022-10-09T03:44:10.148Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	ADMIN_USERNAME : iseadmin
[INFO]	2022-10-09T03:44:10.148Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	API_HEADER : {'Content-Type': 'application/json', 'Accept': 'application/json'}
[INFO]	2022-10-09T03:44:10.148Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	Secondary Polcy Administration node fqdn : ise-aws2.oh-demo.local
/opt/python/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.7.1.138'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
[INFO]	2022-10-09T03:44:10.439Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	API response for 10.7.1.138 is
{
    "message": "An invalid response was received from the server",
    "code": 502
}


/opt/python/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.7.2.243'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
[INFO]	2022-10-09T03:44:10.721Z	1927bbcc-dd60-48b6-97cc-d2ca936a2114	API response for 10.7.2.243 is
{
    "message": "An invalid response was received from the server",
    "code": 502
}


END RequestId: 1927bbcc-dd60-48b6-97cc-d2ca936a2114
REPORT RequestId: 1927bbcc-dd60-48b6-97cc-d2ca936a2114	Duration: 2467.90 ms	Billed Duration: 2468 ms	Memory Size: 128 MB	Max Memory Used: 75 MB	Init Duration: 406.60 ms

  • Log events when both Cisco ISE nodes are up:

START RequestId: 97c70b95-8234-4af9-bd98-c605e6123ae1 Version: $LATEST
[INFO]	2022-10-09T03:56:15.261Z	97c70b95-8234-4af9-bd98-c605e6123ae1	#Retriving SSM parameters...
[INFO]	2022-10-09T03:56:15.596Z	97c70b95-8234-4af9-bd98-c605e6123ae1	Primmary Polcy Administration node ip : 10.7.1.138
[INFO]	2022-10-09T03:56:15.597Z	97c70b95-8234-4af9-bd98-c605e6123ae1	Secondary Polcy Administration node ip : 10.7.2.243
[INFO]	2022-10-09T03:56:15.597Z	97c70b95-8234-4af9-bd98-c605e6123ae1	ADMIN_USERNAME : iseadmin
[INFO]	2022-10-09T03:56:15.597Z	97c70b95-8234-4af9-bd98-c605e6123ae1	API_HEADER : {'Content-Type': 'application/json', 'Accept': 'application/json'}
[INFO]	2022-10-09T03:56:15.597Z	97c70b95-8234-4af9-bd98-c605e6123ae1	Secondary Polcy Administration node fqdn : ise-aws2.oh-demo.local
/opt/python/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.7.1.138'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
[INFO]	2022-10-09T03:56:15.929Z	97c70b95-8234-4af9-bd98-c605e6123ae1	API response for 10.7.1.138 is
{
    "response": [
        {
            "hostname": "ise-aws1",
            "fqdn": "ise-aws1.oh-demo.local",
            "ipAddress": "10.7.1.138",
            "roles": [
                "Standalone"
            ],
            "services": [
                "Profiler",
                "Session"
            ],
            "nodeStatus": "Connected"
        }
    ],
    "version": "1.0.0"
}

[INFO]	2022-10-09T03:56:15.930Z	97c70b95-8234-4af9-bd98-c605e6123ae1	ISE - 10.7.1.138 is up and running
/opt/python/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.7.2.243'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
[INFO]	2022-10-09T03:56:17.101Z	97c70b95-8234-4af9-bd98-c605e6123ae1	API response for 10.7.2.243 is
{
    "response": [
        {
            "hostname": "ise-aws2",
            "fqdn": "ise-aws2.oh-demo.local",
            "ipAddress": "10.7.2.243",
            "roles": [
                "Standalone"
            ],
            "services": [
                "Profiler",
                "Session"
            ],
            "nodeStatus": "Connected"
        }
    ],
    "version": "1.0.0"
}

[INFO]	2022-10-09T03:56:17.101Z	97c70b95-8234-4af9-bd98-c605e6123ae1	ISE - 10.7.2.243 is up and running
END RequestId: 97c70b95-8234-4af9-bd98-c605e6123ae1
REPORT RequestId: 97c70b95-8234-4af9-bd98-c605e6123ae1	Duration: 1942.49 ms	Billed Duration: 1943 ms	Memory Size: 128 MB	Max Memory Used: 77 MB

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.