topic Re: ISE in two different countries in Network Access Control

ISE in two different countries

marine253 — Mon, 11 Mar 2019 08:48:41 GMT

Hello,

Got a request from a customer.

They have a data center in Europe and 1 in Australia. The link between them is an MPLS. They would like to have 1 ISE in Europe (primary) and 1 in Australia (Secondary)

They have about 300 routers and switches and they would like to have below setup:

All equipment points to the Primary ISE for TACACS in Europe for AAA
Should the Europe ISE be unreachable , all authentication sessions should be sent to the Australian ISE(Secondary).

The requirement here is that the ISE should be in some kind of cluster , meaning every changes performed on the primary ISE should be replicated to the secondary ISE. Be it password update , new device etc..

Is this feasible?

Thanks

Re: ISE in two different countries

Jason Kunst — Wed, 22 Aug 2018 15:14:28 GMT

If you’re talking about synchronization of 2 different ISE deployments then no there is no such option

Re: ISE in two different countries

Marvin Rhoads — Wed, 22 Aug 2018 15:36:18 GMT

It would have to be a single deployment.

Ideally it would be 4 nodes so that the PAN/MnT Primary and Secondary personae are on two hosts in Europe. Then put one each PSN in Europe and Australia.

If you made it only two nodes you would be pushing the limits for replication over that much latency (probably around 300+ ms).

See also this tool for ISE bandwidth considerations:

https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112

Re: ISE in two different countries

marine253 — Wed, 22 Aug 2018 16:08:44 GMT

Thanks.

Ideally it would be 4 nodes so that the PAN/MnT Primary and Secondary personae are on two hosts in Europe. Then put one each PSN in Europe and Australia.

Are you talking about 4 physical boxes with 1 persona per box?
Meaning 3 boxes in europe and 1 box in australia? Won't it break the 300ms rule you mentioned?

If you made it only two nodes you would be pushing the limits for replication over that much latency (probably around 300+ ms).
Meaning 1 box with all 3 personas in europe and another box with all 3 personas in Australia? The actual latency is not that bad. 60 ms.

Re: ISE in two different countries

Marvin Rhoads — Wed, 22 Aug 2018 16:20:18 GMT

Latency between Europe and Australia is typically a bit over 300 ms. Design guidance is that we shouldn't exceed that so you'd be pushing the limit.

Take a look at BRKSEC-3699 on ciscolive.com for ideas/constraints on ISE deployments.

As was noted earlier two separate deployments have no knowledge of each other.

A 4 node deployment has:

a. Node 1 = Primary PAN / Secondary MnT

b. Node 2 = Secondary PAN / Primary MnT

c. Nodes 3 and 4 = PSNs.

Re: ISE in two different countries

Jason Kunst — Wed, 22 Aug 2018 19:19:28 GMT

Right so if 2 deployments then latency between nodes doesn’t matter as they are colocated together

Re: ISE in two different countries

marine253 — Thu, 23 Aug 2018 04:30:41 GMT

Hello Marvin,

Thank you for the detailed explanation.

I've only deployed ISE for very small deployment. Please bear with me. 🙂

So to sum up, i am going to propose below options to the customer:
Scenario 1:
We do 2 independent ISE deployments , that is 1 ISE in each country. Each ISE will have 1 IP and all routers/switches should be configured with dual TACACS servers. Each ISE will be managed seperately and no sync of policies will happen.

Scenario 2:
A 4 node deployment (as proposed above):
a. Node 1 = Primary PAN / Secondary MnT
b. Node 2 = Secondary PAN / Primary MnT
c. Nodes 3 and 4 = PSNs.
QU1) That is 3 nodes in Europe and 1 node in Australia. Correct?
QU2)They will all sync together and policies/configuration will be performed on Node 1 only (Primary PAN). Correct?
QU3)All routers/switches should be configured with dual TACACS servers (as we have two PSNs). correct?
QU4)What will happen if the Europe DC is unreachable. Will a manual intervention be required on the PSN in Australia to make it functional?

QU5) All the MnT personas will be in Europe. If Europe is unreachable , this mean that no logging will happen when the Australian PSN will be servicing requests?

Thanks a lot in advance 🙂

Re: ISE in two different countries

marine253 — Tue, 28 Aug 2018 06:17:33 GMT

Hi Marvin,

sorry to pester you. Could you please vet the above setup? :). I really need to know if the above is correct.

Thanks

Re: ISE in two different countries

Marvin Rhoads — Tue, 28 Aug 2018 08:36:38 GMT

@marine253 You can use partner helpdesk for official vetting of presales configurations. Opinions I offer here are my own and not official from either Cisco or my employers.

The two scenarios you mentioned are correct as stated.

Re your other questions,

1. Yes.

2. Yes.

3. Yes. Each network devices should have the TACACS server (PSN) closest to it first in its aaa server-group. something like this:

aaa group server tacacs+ ise-tacacs
 server name <name of local tacacs server>
 server name <name of remote tacacs server>

4. A PSN can operate and enforce configured policies whether or not the PAN (or MnT) node is accessible.

5. I believe some very limited messages may be queued on the PSN if there is a momentary loss of connectivity to the MnT nodes but, in general, you will lose accounting logs if the MnT is not reachable for any extended period of time.