This project runs Terraform + Ansible demo for ISE. It follows the demo performed during the Automated ISE setup with Infrastructure as Code tools Webinar(December 2021) @ Cisco ISE YouTube Channel

At a high level it does the following:

Terraform:

• Setup VPC, subnets, routing and other networking resources on AWS
• Setup 6 ISE instances: Uses two separate modules. One for Admin/Monitoring node with m5.4xlarge instance type and 1.2TB EBS volume, and another for Policy Services node (PSN) with c5.4xlarge instance type and 600GB EBS volume. Also for PSN, the instance IPs are added to the AWS network load balancer to serve RADIUS and TACACS+.
• Setup AWS Network Load Balancer
• Setup Route 53 entries (The sample code utilizes exisisting ARN for the DNS zones, you will need to update it for your environment)
• Setup S3 bucket with transfer family for SFTP access
• Create Ansible variables file

Ansible:

• Import Let's Encrypt Root & Intermediate CA Certificates and signed server certificate and applyt it for EAP, DTLS, and Portal use
• Setup AD
• Add sample groups & users
• Add sample network devices
• add sample policy sets
• Form a deployment among 6 ISE nodes: Two Admin/Monitoring and Four Policy Services Node

ACME (Automated Certificate Management Environment):

• The ansible_demo.sh utilizes ACME protocol to get signed certificate from Let's Encrypt OpenCA using DNS validation. This is not mandatory and can be ignored or remarked to skip the process.

This has been tested and supports Cisco ISE 3.1.

• Ansible >= 2.9
• Terraform >= 1.0.7
• Cisco ISE SDK v1.0.0 or newer
• Python >= 3.6, as the Cisco ISE SDK doesn't support Python version 2.x

Terraform must be installed

Python & pip must be installed

sudo apt install -y python3 --version
sudo apt install -y python3-pip

Install ISE Python SDK

pip3 install ciscoisesdk

Ansible must be installed

sudo apt update
sudo apt-get install software-properties-common
sudo apt-add-repository ppa:ansible/ansible
sudo pip install ansible

Install the collection

ansible-galaxy collection install cisco.ise

First, initialize Terraform:

terraform init

Rename the included terraform.samplevars to terraform.tfvars file and modify to suit your environment. If changing the AWS region, the AMI ID also needs to be updated:

mv terraform.samplevars terraform.tfvars

Modify the run_first.sh to suit your environment. Note the username admin should not be changed and the password entry should be more than 8 characters long and have at least one of each; lower, upper, and a number. Run the run_first.sh to generate the userdata files that will be referenced by terraform config.

Apply the configuration

terraform apply

Type yes

This will take about 30 mintes for ISE instances to be fully booted up. Once all nodes can be accessed via GUI, you can run the ansible playbook.

cd ansible
ansible-playbook demo_all.yml

Once demo finishes, you can run the following commands to remove the setup in AWS:

cd ..
terraform destroy

Note that the Terraform process creates the Ansible variables file vars.yml upon completion and as such if running the Ansible playbook without running the Terraform file, then copy the content of the ansible_var.tpl file to ansible/vars.yml file manually.

The examples found on the playbooks directory uses the group_vars variables. Consider using ansible-vault to encrypt the file that has the ise_username and ise_password.

If you're using macOS you may receive this error when running your playbook:

objc[34120]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[34120]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state

If that's the case try setting these environment variables:

export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
export no_proxy=*

You can also run the following:

cd ansible
source source_me.sh

The examples in this repository are licensed under the Cisco Sample Code License.