Cisco Identity Services Engine on AWS

Partner Solution Operational Guide

November 2022
Sudhanshu Sharma, Venkatesh Sivakumar, Divya Anand, Hsing-Tsu Lai, Prashanth R, Hosuk Won, Cisco Systems Inc.
Muffadal Quettawala, AWS Partner team
Vinod Shukla, AWS Integration & Automation team

Visit our GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Cisco Systems Inc. in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This document goes over the custom components deployed as part of the Partner Solution Cisco Identity Services Engine on the AWS Cloud. Refer to deployment guide for details.

Deployment state machine

As shown in Figure 1, this Partner Solution includes a deployment state machine to form a two-node Cisco ISE deployment.

Figure 1. Deployment state machine architecture for Cisco ISE on AWS

The deployment state machine performs the following functions:

Checks Cisco ISE status to verify that both Cisco ISE instances are up and ready.
Sets the first Cisco ISE instance as the primary administrator node (primary PAN or PPAN) of a new Cisco ISE deployment.
Registers the second Cisco ISE instance as the secondary administrator node (secondary PAN or SPAN) in the same Cisco ISE deployment.
Checks the deployment sync status to verify that both nodes are synchronized.

CloudFormation deploys the state machine architecture towards the end of the stack creation.

PAN failover state machine

As shown in Figure 2, this Partner Solution deploys a failover state machine to promote SPAN to PPAN in the event of a PPAN failure.

Figure 2. Failover state machine architecture for Cisco ISE on AWS

Failover keeps access to the Cisco web console open and enables certain aspects of Cisco ISE to continue running. The failover state machine performs the following functions:

Detects PPAN failures.
Verifies accessibility of the API Gateway on SPAN.
In the event of PPAN failure, promotes SPAN to PPAN.
Confirms that PAN failover has completed and is successful.

Auto failover

If you set the Auto Failover (AutoFailover) parameter to ENABLED, the deployment schedules the failover state machine to run periodically as an Amazon EventBridge rule.

The deployment sets AutoFailover to DISABLED by default in the templates for two reasons. First, the Partner Solution only deploys two Cisco ISE nodes. Second, auto failover can result in a 30-minute downtime while services are restarted.

Parameter Store

This Partner Solution stores the following configurable parameters in AWS Systems Manager Parameter Store.

Name Description

Name	Description
`ADMIN_PASSWORD`	Cisco ISE admin password used by Lambda for Extensible RESTful Services (ERS)/OpenAPI requests.
`ADMIN_USERNAME`	Cisco ISE admin user name used by Lambda for ERS/OpenAPI requests.
`Maintenance`	Values are `DISABLED` (default) or `ENABLED`. When `ENABLED`, Lambda skips health checks and PAN failover.
`Primary_FQDN`	Fully qualified domain name (FQDN) of PPAN.
`Primary_IP`	IPv4 address of PPAN.
`Secondary_FQDN`	FQDN of SPAN.
`Secondary_IP`	IPv4 address of SPAN.
`SyncStatus`	Latest synchronization status of the Cisco ISE deployment from the last health check.

ADMIN_PASSWORD

Cisco ISE admin password used by Lambda for Extensible RESTful Services (ERS)/OpenAPI requests.

ADMIN_USERNAME

Cisco ISE admin user name used by Lambda for ERS/OpenAPI requests.

Maintenance

Values are DISABLED (default) or ENABLED. When ENABLED, Lambda skips health checks and PAN failover.

Primary_FQDN

Fully qualified domain name (FQDN) of PPAN.

Primary_IP

IPv4 address of PPAN.

Secondary_FQDN

FQDN of SPAN.

Secondary_IP

IPv4 address of SPAN.

SyncStatus

Latest synchronization status of the Cisco ISE deployment from the last health check.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.