ISE Home Lab Eval Rotation
Overview
Recurring ISE eval license rotation for the home lab. Every ~90 days the Cisco ISE evaluation license expires, locking out admin access (auth engine continues operating). The rotation deploys a fresh ISE VM on the alternate KVM host, restores the last backup, reissues certificates, reconfigures SAML, and cuts over — turning a licensing constraint into a practiced DR drill.
Rotation Pattern
| Rotation | Active Node | KVM Host |
|---|---|---|
Previous (2026-02) |
ise-02 (10.50.1.21) |
kvm-02 |
Current (2026-06) |
ise-01 (10.50.1.20) |
kvm-01 |
Next (~2026-09) |
ise-02 (10.50.1.21) |
kvm-02 |
Current Rotation Status
| Phase | Description | Status | Notes |
|---|---|---|---|
0: Pre-Work |
Backup ise-02, verify NAS, gather credentials |
✅ Done |
Backup: pre-rotation-2026-06 on nas-01 |
1: VM Creation |
Deploy fresh ISE on kvm-01 with CPU pinning |
✅ Done |
br-mgmt bridge, CPUs 6-9, onboard SSD |
2: Installation |
Setup wizard, wait for services |
✅ Done |
NTP: pool.ntp.org during install, switched back to 10.50.1.1 |
3: Restore |
Restore config from NAS backup |
✅ Done |
pre-rotation-2026-06-CFG10-260607-0942.tar.gpg |
4: Patch |
Apply ISE Patch 3 |
✅ Done |
ise-patchbundle-3.5.0.527-Patch3-26040703 |
5: Certificates |
Issue DOMUS PKI certs from Vault |
✅ Done |
Admin/EAP + pxGrid — both verified via openssl s_client |
6: SAML |
Reconfigure Keycloak SAML client (new Entity ID) |
⚠️ Deferred |
Keycloak VM needs rebuild — using local admin login for now |
7: Cutover |
Switch NAD, test 802.1X auth, update dsec |
✅ Done |
dot1x Authc Success on GigabitEthernet1/0/2, dsec updated to ise-01 |
8: API Validation |
Verify ERS, OpenAPI, MnT, DataConnect, pxGrid |
✅ Done |
All 5 surfaces operational — cert extraction needed for DC + pxGrid |
9: Cleanup |
Decommission old VM after verification period |
❌ Not started |
Keep ise-02 1-2 weeks as rollback |
Runbook Staleness Issues
The ISE 3.5 deployment runbook in domus-infra-ops has known stale references:
-
Gateway: References
10.50.1.1— gateway is VyOS (VRRP VIP: 10.50.1.1) -
gopass paths: Mixes v2 (
v2/DOMUS/servers/ise-01/admin) and v3 (v3/domains/d000/identity/ise/ise-01/admin) — v3 is current -
NTP: Points to pfSense — should be VyOS VIP or dedicated NTP
-
CPU map: Shows pfSense-FW01 on CPUs 0-3 — pfSense is decommissioned, VyOS runs instead
-
NAD section: Includes pfSense as RADIUS NAD — should be removed or replaced
-
DNS updates: Uses PowerShell on home-dc01 — verify this is still the process
These must be corrected in domus-infra-ops before executing the rotation.
| Field | Value |
|---|---|
PRJ ID |
PRJ-2026-06-ise-home-rotation |
Author |
Evan Rosado |
Created |
2026-06-07 |
Updated |
2026-06-07 |
Status |
Active |
Category |
Infrastructure / Recurring Operations |
Priority |
P1 |
Frequency |
Every ~90 days (eval license expiration) |
Runbook |