Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CHAPTER 4 Set Up Inline Posture •RoleofInlinePostureNodeinaCiscoISEDeployment,page55 •BestPracticesforInlinePostureDeployment,page62 •InlinePostureNodeGuidelines,page63 •InlinePostureNodeAuthorization,page66 •DeployanInlinePostureNode,page68 •ConfigureaHigh-AvailabilityPair,page73 •ConfigureInlinePostureNodeasRADIUSClientinAdministrationNode,page75 •RemoveanInlinePostureNodefromDeployment,page76 •HealthofanInlinePostureNode,page76 •RemoteAccessVPNUseCase,page77 •CollectionofInlinePostureNodeLogs,page78 •KclickprocessinInlinePostureNode,page79 Role of Inline Posture Node in a Cisco ISE Deployment AnInlinePosturenodeisagatekeeperthatenforcesaccesspoliciesandhandleschangeofauthorization(CoA) requests.AnInlinePosturenodeispositionedbehindthenetworkaccessdevicesonyournetworkthatare unabletoaccommodateCoArequests,suchaswirelessLANcontrollers(WLCs)andVPNdevices. AftertheinitialauthenticationofaclientusingtheEAP/802.1xandRADIUSprotocols,theclientmustgo throughpostureassessment.Thepostureassessmentprocessdetermineswhethertheclientshouldberestricted, denied,orallowedfullaccesstothenetwork.WhenaclientaccessesthenetworkthroughaWLCorVPN device,anInlinePosturenodeisresponsibleforthepolicyenforcementandCoAthatthesedevicesareunable toaccommodate. StartingfromRelease1.3,CiscoISEdoesnotincludeaseparateISOimageforInlinePosture.Youcan continuetousetheexistingRelease1.2InlinePosturenodesinthedeployment. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 55
Inline Posture Policy Enforcement InlinePostureusesRADIUSproxyandURLredirectcapabilitiesinthecontrolplanetomanagedataplane trafficforendpoints.AsaRADIUSproxy,InlinePostureisabletotapintoRADIUSsessionsbetweennetwork accessdevices(NADs)andRADIUSservers.NADscanopenfullgatetoclienttraffic.However,Inline Postureopensonlyenoughtoallowlimitedtrafficfromclients.Therestrictedbandwidthallowsclientsthe abilitytohaveanagentprovisioned,postureassessed,andremediationcompleted.Thisrestrictionis accomplishedbydownloadingandinstallingDownloadableAccessControlLists(DACLs)thataretailored forspecificclientflows. Whentheclientiscompliant,aCoAissenttotheInlinePosturenodebythePolicyServicenode,andfull gateisopenedbytheInlinePosturenodeforthecompliantclientendpoint.TheRADIUSproxydownloads thefull-accessDACL,installsit,andassociatestheclientIPaddresstoit.TheinstalledDACLcanbecommon foranumberofusergroups,andthereforeduplicatedownloadsarenotnecessaryaslongastheDACLcontent doesnotchangeintheCiscoISEservers. Inline Posture Policy Enforcement Flow ThefollowingfigureillustratestheInlinePosturepolicyenforcementprocessandshowstheflowforWLC enforcementfortraffictothePolicyServicenode.Theaccessstepsaresimilarforaninlinedeploymentwith VPNgateways. Figure 4: Inline Posture Policy Enforcement Flow 1Theendpointinitiatesa.1Xconnectiontothewirelessnetwork. 2TheWLC,whichisaNAD,sendsaRADIUSAccess-RequestmessagetotheRADIUSserver,whichis usuallythePolicyServicenode(inthisillustration,theRADIUSAccess-Requestmessageissenttothe InlinePosturenode). Cisco Identity Services Engine Administrator Guide, Release 1.3 56 Role of Inline Posture Node in a Cisco ISE Deployment
3TheInlinePosturenode,actingasaRADIUSproxy,relaystheAccess-RequestmessagetotheRADIUS server. 4Afterauthenticatingtheuser,theRADIUSserversendsaRADIUSAccess-Acceptmessagebacktothe InlinePosturenode. TherecanbeanumberofRADIUStransactionsbetweentheEndpoint,WLC,InlinePosturenode,and theCiscoISERADIUSserverbeforetheAccess-Acceptmessageissent.Theprocessdescribedinthis examplehasbeensimplifiedforthesakeofbrevity. 5TheInlinePosturenodepassestheAccess-AcceptmessagetotheWLC,whichinturnauthorizesthe endpointaccess,inaccordancewiththeprofilethataccompaniedthemessage. 6TheproxiedAccess-AcceptmessagetriggerstheInlinePosturenodetosendanAuthorization-Onlyrequest tothePolicyServicenodetoretrievetheprofileforthesession. 7ThePolicyServicenodereturnsanAccess-Acceptmessage,alongwiththenecessaryInlinePosturenode profile. 8Iftheaccesscontrollist(ACL)thatisdefinedintheprofileisnotalreadyavailableontheInlinePosture node,theInlinePosturenodedownloadsitfromthePolicyServicenodeusingaRADIUSrequest(tothe CiscoISERADIUSserver). 9TheCiscoISERADIUSserversendsthecompleteACLinresponse.ItistheninstalledintheInline Posturedataplanesothatendpointtrafficpassesthroughit. TheremaybeanumberoftransactionsbeforethecompleteACLisdownloaded,especiallyiftheACLis toolargeforonetransaction. 10AstheendpointtrafficarrivesattheWLC,theWLCsendsoutaRADIUSAccounting-Startmessagefor thesessiontotheInlinePosturenode. TheactualdatatrafficfromtheendpointmayarriveattheInlinePosturenodeuntrustedsidebeforethe Accounting-StartmessageisreceivedbytheInlinePosturenode.UponreceivingtheRADIUS Accounting-Startmessage,theInlinePosturenodelearnstheIPaddressoftheendpointinvolvedinthe sessionandassociatestheendpointwiththeACL,whichisdownloadedandinstalledearlierinthesession. Theinitialprofileforthisclientendpointcouldberestrictive,toposturetheclientbeforebeinggivenfull access. 11AssumingtherestrictiveACLallowsaccessonlytoCiscoISEservers,theendpointisonlyallowedactions suchasagentdownloadingandpostureassessmentoverthedataplane. 12Iftheclientendpointisposturecompliant(aspartoftherestrictedcommunicationwithCiscoISEservices earlier),thePolicyServicenodeinitiatesaRADIUS(CoA)withthenewprofile.Therefore,anewACL isappliedattheInlinePosturenodeforthesession.ThenewACLisinstalledimmediatelyandapplied totheendpointtraffic. 13Theendpointisthencapableoffullaccesstotheenterprisenetwork,asaresultofthenewprofilethat wasappliedtotheInlinePosturenode. ARADIUSstopmessageforagivensessionthatisissuedfromtheWLCresetsthecorrespondingendpoint accessattheInlinePosturenode. Inadeployment,suchasoutlinedintheexample,whenmoreendpointsconnecttothewirelessnetwork,they arelikelytofallintooneoftheidentitygroupsthatalreadyhaveauthenticatedandauthorizedusersconnected tothenetwork. Forexample,theremaybeanemployee,executive,andguestuserthathavebeengrantedaccessthroughthe outlinedsteps.Thissituationmeansthattherespectiverestrictiveorfull-accessprofilesforthoseIDgroups Cisco Identity Services Engine Administrator Guide, Release 1.3 57 Role of Inline Posture Node in a Cisco ISE Deployment
havealreadybeeninstalledontheInlinePosturenode.Thesubsequentendpointauthenticationandauthorization usestheexistinginstalledprofilesontheInlinePosturenode,unlesstheoriginalprofileshavebeenmodified duringtheCiscoISEpolicyconfiguration.Inthelattercase,themodifiedprofilewithACLisdownloaded andinstalledontheInlinePosturenode,replacingthepreviousversion. Trusted and Untrusted Interfaces ThefollowingterminologyplaysasignificantroleinInlinePosturedeployment: •Trusted—TheinterfacethattalkstothePolicyServicenodeandothertrusteddevicesinsidetheCisco ISEnetwork.ThetrustedinterfaceisalwaysdesignatedtoEth0interface. •Untrusted—TheinterfacethattalkstotheWLC,VPN,andotherdevicesoutsidetheCiscoISEnetwork. TheuntrustedinterfaceisalwaysdesignatedtoEth1interface. Dedicated Nodes Required for Inline Posture Unlikeotherpersonas,InlinePostureisunabletoshareanodewithotherservices.Thisinabilitytosharea nodemeansthatInlinePosturemustbeadedicatednodethatisregisteredtothePANonyournetwork. CiscoISEallowsyoutohaveuptotwoInlinePosturenodesconfiguredasanactive-standbypairforhigh availability. Standalone Inline Posture Node in a Cisco ISE Deployment AstandaloneInlinePosturenodeissimplyasingleInlinePosturenodethatprovidesservicesandworks independentlyofallothernodes.YoumightchoosetodeployasinglestandaloneInlinePosturenodefora networkthatservesasmallfacility,whereredundancyisnotamajorconcern. Inline Posture High Availability AnInlinePosturehigh-availabilitydeploymentconsistsoftwoInlinePosturenodesthatareconfiguredasan active-standbypair.TheactivenodeactsastheRADIUSproxyandforwardsallnetworkpacketsuntilitfails andthenthestandbynodetakesover.Aslongastheactivenodeisfunctioningproperly,thestandbynode remainspassive.However,shouldtheactivenodefalter,thestandbynodetakesovertoperformInlinePosture functionality. ThetermsprimaryandsecondaryhavedifferentmeaningswithregardtoInlinePosturehighavailabilitythan theydoinrelationtoCiscoISEnodes.ForInlinePosturehighavailability,primaryandsecondarydenotethe devicethattakesovertheactivestateandthedevicethattakesthestandbyroleincasethereisacontention, suchaswhenbothnodesbootupatthesametime.Thetermsactiveandstandbyarerepresentativeof high-availabilitystates.AprimaryorsecondaryInlinePosturenodecanbeineitheranactiveorstandbystate. ThesecondaryInlinePosturenodeisread-only,andcannotbeusedforconfigurationofanykind,evenhigh availability. WhenyouconfigureanInlinePosturehigh-availabilitypair,theprimarynodehasmoreoptionsavailablefor editing.Thatisbecauseyoumakeallconfigurationchangesontheprimarynode.Configurationchangesmade totheprimarynodeareautomaticallypopulatedontothesecondarynode.Forthisreason,thesecondarynode isread-only. AnInlinePosturehigh-availabilitypairconsistsoftwophysicalInlinePosturenodesconfiguredasacluster thathaveheartbeatlinksontheeth2andeth3interfaces,andareconnectedbydedicatedcables. Cisco Identity Services Engine Administrator Guide, Release 1.3 58 Role of Inline Posture Node in a Cisco ISE Deployment
Theeth2andeth3interfacesofbothnodescommunicatewithheartbeatprotocolexchangestodeterminethe healthofthenodes.EachInlinePosturenodehasitsownphysicalIPaddressesonthetrustedanduntrusted Ethernetinterfaces,butaseparateserviceIPaddressmustbeassignedtotheclusterasawhole. TheserviceIPaddress,alsocalledavirtualIPaddress,isrequiredforRADIUSauthenticationpurposes. YouassigntheserviceIPaddresstoboththetrustedanduntrustedinterfacesforbothnodesofthe active-standbypair,thusmakingtheserviceIPaddresstheaddressofthecluster,representingitasasingle entitytotherestofthenetwork. Note Automatic Failover in Inline Posture Nodes InlinePosturestatelesshigh-availabilitydeploymenthasanactive-standbypairnodeconfiguration,where thestandbynodeactsasabackupunitanddoesnotforwardanypacketsbetweentheinterfaces.Stateless meansthatsessionsthathavebeenauthenticatedandauthorizedbyanactivenodeareautomaticallyauthorized againafterafailoveroccurs. Thestandbynodemonitorstheactivenodeusingtheheartbeatprotocol(usingeth2andeth3interfaces),which requiresthatmessagesaresentatregularintervalsbetweenthetwonodes.Iftheheartbeatstopsordoesnot receivearesponsebackintheallottedtime,failoveroccursandrecoveryactiontakesplace. AheartbeatisamessagethatissentfromonenodeinanInlinePosturehigh-availabilitypairtotheother memberofthepairatregularintervals.Ifaheartbeatisnotreceivedforanextendedperiodoftime,usually severalheartbeatintervals,thenodethatshouldhavesenttheheartbeatisassumedtohavefailed.Ifitisthe primaryInlinePosturenodethatfails,thesecondarynodetakesoversothereisnodisruptioninservice. IftheheartbeatssimultaneouslygodownforbothInlinePosturehigh-availabilitynodes,apartitioningstate mayensue.Apartitioningstateisaconditionwherebothnodesassumethattheotherhastotallyfailed,and bothtrytotakeoveractivecontrol. Inadditiontotheheartbeatmonitor,anoptional(buthighlyrecommended)link-detectmechanismisavailable. Withtheuseofthismechanism,InlinePosturetrustedanduntrustedinterfacespinganexternalIPaddress fromtheirrespectiveinterfaces.IfbothnodesareunabletopingtheexternalIPaddress,thenfailoverdoes notoccur.However,ifeitherofthenodesbecomesunreachable,thenodethatisfunctionalautomatically becomestheactivenode. Whenfailoveroccurs: 1ThestandbyInlinePosturenodetakesovertheserviceIPaddress. 2Theadministratorcorrectsthefailednodeandrevertstoanearlierconfiguration,asneeded. Whenafailednodeisbroughtbackonline,amanualsyncoperationtoupdatethenodewiththemost currentinformationisrequired. 3Activesessionsareautomaticallyreauthenticatedandauthorized. Inline Posture Operating Modes TheInlinePostureoperatingmodethatyouchoosedependslargelyonthearchitectureofyourexisting network.CiscoISEsupportsthefollowingoperatingmodes: Cisco Identity Services Engine Administrator Guide, Release 1.3 59 Role of Inline Posture Node in a Cisco ISE Deployment
Inline Posture Routed Mode TheInlinePostureroutedmodeactsasaLayer3“hop”inthewire,selectivelyforwardingpacketstospecified addresses.Thismodeprovidestheabilitytosegregatenetworktraffic,allowingyoutospecifyuserswhohave accesstoselecteddestinationaddresses. Inroutedmode,theInlinePosturenodeoperatesasaLayer3router,andbecomesthedefaultgatewayfor theuntrustednetworkwithitsmanagedclients.Alltrafficbetweentheuntrustedandtrustednetworkspasses throughtheInlinePosturenode,whichappliestheIPfilteringrules,accesspolicies,andothertraffic-handling mechanismsthatyoudecidetoconfigure. WhenyouconfigureInlinePostureinroutedmode,youmustspecifytheIPaddressesofitstwointerfaces: •Trusted(Eth0) •Untrusted(Eth1) Thetrustedanduntrustedaddressesshouldbeondifferentsubnets.InlinePosturecanmanageoneormore subnets,withtheuntrustedinterfaceactingasagatewayforthemanagedsubnets. ThefollowingfigureillustratesanInlinePostureroutedmodeconfiguration.Inthisexample,InlinePosture isahopfortheclienttrafficfromtheVPNgateway(GW)enroutetothePolicyServicenode.InlinePosture requiresthatstaticroutesbeconfiguredforsubnets10.20.80.0/24and10.20.90.0/24towardtheVPNgateway, justlikeanyotherrouter.Theenterpriserouteronthetrustedsideofthenetworkalsorequiresthatthestatic routesareconfiguredforthesamesubnetstowardtheInlinePosturenode. Figure 5: Inline Posture Routed Mode Configuration Inline Posture Bridged Mode TheInlinePosturebridgedmodeactsasaLayer2“bump”inthewire,forwardingpacketswithoutregardto thedestinationaddress. Cisco Identity Services Engine Administrator Guide, Release 1.3 60 Role of Inline Posture Node in a Cisco ISE Deployment
Inbridgedmode,theInlinePosturenodeoperatesasastandardEthernetbridge.Thisconfigurationistypically usedwhentheuntrustednetworkalreadyhasagateway,andyoudonotwanttochangetheexisting configuration. ThefollowingfigureshowstheInlinePosturenodeactingasabridgefortheLayer2clienttrafficfromthe WLCtotheCiscoISEnetwork,managedbythePolicyServicenode.Inthisconfiguration,InlinePosture requiressubnetentriesforthe10.20.80.0/24and10.20.90.0/24subnetstobeabletorespondtoandsend AddressResolutionProtocol(ARP)broadcaststothecorrectVLANs. Figure 6: Inline Posture Bridged Mode Configuration WhentheInlinePosturenodeisinbridgedmode,thefollowingconditionsapply: •InlinePostureeth0andeth1interfacescanhavethesameIPaddress. •Allenddevicesinthebridgedsubnetmustbeontheuntrustednetwork. Inline Posture Maintenance Mode TheInlinePosturemaintenancemodetakesthenodeofflinesothatyoucanperformadministrativeprocedures. Thismodeisalsothedefaultmodeofanodewhenitfirstcomesontothenetwork,andbeforeyouperform otherconfigurations. Inline Posture High Availability in Routed and Bridged Modes ThefollowingfigureshowsanexampleofanInlinePosturehigh-availabilityroutedmodeconfiguration. Notethededicatedcablesthatconnecttheeth2andeth3interfacesbetweenthetwonodestofacilitatethe heartbeatcommunicationthatchecksforfailureintheactivenode. Cisco Identity Services Engine Administrator Guide, Release 1.3 61 Role of Inline Posture Node in a Cisco ISE Deployment
Inthisexample,theuntrustedIPaddressforInlinePosture1canbe10.20.70.101,andtheuntrustedIPaddress forInlinePosture2canbe10.20.70.102.However,theserviceIPaddressforbothnodesontheuntrustedside ofthenetworkwouldbe10.20.70.100.TheactiveInlinePosturenodeinthepair,atanypointoftime,assumes theserviceIPaddressontheuntrustedsideofthenetwork.Thesameholdstrueforthetrustedsideofthe network. Figure 7: Inline Posture High-Availability Routed Mode Configuration Inabridgedmode,InlinePostureeth0andeth1interfacesshouldhaveIPaddressesinthesamesubnet.Having thesameIPaddressisrecommended.AnydevicesonthetrustedsideofthenetworkthathaveIPaddresses inthesubnetsthataremanagedbyanInlinePostureinbridgedmode,musthaveanexplicitstaticroute configuredattheInlinePosturenode.Thisconfigurationisnecessarybecausebydefault,InlinePosture assumesthatthesubnetthatitmanages(asconfiguredontheManagedSubnetsuserinterfacepage)lies entirelyontheuntrustedsideofthenetwork. Best Practices for Inline Posture Deployment YoucanfollowthebestpracticeslistedheretomanageyourInlinePosturedeploymentefficiently. Use Filters to Define Access Privileges ConsiderthefollowingwhenconfiguringfiltersforInlinePosture: •Inatypicalimplementation,InlinePostureenforcesauthenticationrequirementsonendpointsthatattempt toaccessthenetwork.DeviceandsubnetfiltersareusedtovalidateordenyWLCandVPNdevices. •Forcertaindevices,youmaywanttobypassauthentication,postureassessment,roleassignment,orany combinationthereof.Commonexamplesofbypasseddevicetypesincludeprinters,IPphones,servers, nonclientmachines,andnetworkdevices. Cisco Identity Services Engine Administrator Guide, Release 1.3 62 Best Practices for Inline Posture Deployment
InlinePosturematchestheMAC,MACandIP,orsubnetaddresstodeterminewhetherthebypass functionisenabledforadevice.Youcanchoosetobypasspolicyenforcementortoforciblyblock access. DonotconfiguretheMACaddressinaMACfilterforadirectlyconnectedASAVPN devicewithoutalsoenteringtheIPaddress.WithouttheadditionoftheoptionalIP address,VPNclientsareallowedtobypasspolicyenforcement.Thisbypasshappens becausetheVPNisaLayer3hopforclients,andthedeviceusesitsownMACaddress asthesourceaddresstosendpacketsalongthenetworktowardtheInlinePosturenode. Caution Configure Managed Subnets and Static Routes ConsiderthefollowingwhenconfiguringmanagedsubnetsforInlinePosture: •ConfigureamanagedsubnetforInlinePosture.AmanagedsubnetconfigurationensuresthattheInline PosturenodecansendAddressResolutionProtocol(ARP)querieswiththeappropriateVLANIDsfor theclientdevicesontheuntrustedinterface.Configuretheuntrusted(authentication)VLANinthe VLANIDfieldforthemanagedsubnet. •ConfiguremanagedsubnetsforendpointsinLayer2proximityoftheInlinePosturenode,suchas,a WLCthatdeliverspacketsdirectlytotheuntrustedinterfaceoftheInlinePosturenode. •ConfigureanIPaddressandnotasubnetaddress.ThisconfigurationensuresthattheARPrequeststhat InlinePosturesendshaveavalidsourceIPaddress. •EnsurethatsubnetsonthetrustedsideoftheInlinePosturenodearedifferentfromthesubnetsonthe untrustedside. •EnsurethatanAdministrationnode,PolicyServicenode,andMonitoringnodearenotonthesame subnetastheInlinePosturenode,unlessyouhavedefinedastaticroute. ConsiderthefollowingwhenconfiguringstaticroutesforInlinePosture: •Configurestaticroutesforendpointsthataremorethanonehopaway(Layer3)fromtheInlinePosture node. •ConfigurestaticroutesforalldownstreamhostnetworksthataretypicalofVPNaddresspools. Configure High-Availability Pair ConsiderthefollowingwhenconfiguringInlinePostureforhighavailability: •AssignaserviceIPaddress(alsoknownasavirtualIP)foreachsideoftheInlinePostureinterfaces, trusted(eth0)anduntrusted(eth1). •Specifylink-detectIPaddressesforthetrusted(eth0)anduntrusted(eth1)interfaces.Link-detectappears asanoptionalsettingintheuserinterface,butishighlyrecommended. Inline Posture Node Guidelines BeforeyouconfigureanInlinePosturenodeinadistributeddeployment,readandunderstandthefollowing statements: Cisco Identity Services Engine Administrator Guide, Release 1.3 63 Inline Posture Node Guidelines
1TheInlinePosturenodeissupportedonlyonCiscoISE-3300seriesandSNS-3415appliances.Itisnot currentlysupportedonCiscoSNS-3495applianceorasavirtualappliance. 2InlinePostureisunabletorunconcurrentlywithAdministration,PolicyService,orMonitoringpersonas and,therefore,isadedicatednode. 3AnInlinePosturenodemustberegisteredtothePANonyournetwork. 4ForeachdeploymentinstanceofanInlinePosturenode,youcandeployastandalonenode,oran active-standbypair. 5Atanynetworkentrypoint,likeVPNheadendusingASAorgroupofASAsinanHAcluster,amaximum of2InlinePosturenodescanbedeployedasactive-standbypairforhigh-availability.Youcanhaveseveral HApairsinadeployment. 6InlinePosturenodesaresimilartonetworkaccessdevices(NAD)infunctionfromtheperspectiveof CiscoISEnode.InlinePosturenodescanserveasmultipleNADslikeswitches,WirelessLanControllers, andVPNdevices.Basedonthedeploymentneeds,youcandeploymultipleinstancesofInlinePosture nodes.Todeterminethemaximumnumberofdeploymentinstances,treattheInlinePosturenodesas accessdevices. 7ForanInlinePosturehigh-availability,twonodesareconfiguredasanactive-standbypair.Onenodeis designatedastheprimarynodeandtheotherasthesecondarynode.Theprimarynodebecomestheactive nodewhenbothnodescomeupatthesametime. 8ForanInlinePostureactive-standbypairconfiguration,allconfigurationmustbeappliedfromtheISE administrativeuserinterface.Thestandbynodeconfigurationdisplaysonlybasictableswhenviewed fromtheISEadministrativeuserinterface. 9YoucansynchronizeanInlinePostureactivenodeconfigurationtoitspeerstandbynodefromtheFailover taboftheactivenode.Formoreinformation,seeSynchronizeanInlinePostureNode,onpage75. IfyouhaveaWLCauthentication,authorization,andaccounting(AAA)server(Cisco2100or4400Series WirelessLANcontrollers)onyournetwork,theRADIUSauthenticationservertimeoutvalueneedsto besettoaminimumof30seconds.ThisminimumvalueensuresthatRADIUSfailoverwillworkin conjunctionwithInlinePosture.SeetheWLCserverhardwaredocumentationformoreinformation. Note 10RegisteringanInlinePosturenoderesultsinsystemrestart.High-availabilitychangesandchangesto infrastructureconfigurationssuchastheeth1IPaddressorInlinePosturemoderequireasystemrestart. Therestartisautomatic.However,tomanuallyrestartthenodefromtheCLI,usetheapplicationstop iseandapplicationstartisecommands. 11AfteryouregisteranInlinePosturenodetotheAdministrationnode,youarenotallowedtochangethe eth0(Trusted)IPaddressthroughtheAdminportal.Thereasonforthisisthat,ifyouchangetheeth0IP addressofaregisteredInlinePosturenode,itcannotcommunicatewiththeAdministrationnode.Any attemptedcommunicationbetweentheInlinePosturenodeandAdministrationnodethenfails,leadingto apotentialexception. ItishighlyrecommendedthatyounotchangetheIPaddressofanInlinePosturenodefromtheCLIafter ithasbeenregisteredontheCiscoISEnetwork. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 64 Inline Posture Node Guidelines