topic ISE Distributed Deployment in Network Access Control

ISE Distributed Deployment

de1denta — Mon, 11 Mar 2019 07:04:54 GMT

Hi All,

We have a primary and secondary HQ in the UK and then large branch offices in the US and Europe. Total users is ~ 2500

What we are looking to do is deploy a primary admin, monitoring and policy services node in HQ1, a secondary admin, monitoring and policy services node in HQ2 and then policy services node in the US and Europe. Is this deployment supported? I have read the documentation for distributed deployments and it suggests having seperate policy services nodes for all sites, however, I'm not sure if this is required in all scenarios such as ours.

Can anyone please assist

Hi,

Gagandeep Singh — Fri, 16 Sep 2016 13:26:34 GMT

Hi,

We recommend that you make all PSNs in the same local network part of the same node group. PSNs need not be part of a load-balanced cluster to join the same node group. However, each local PSN in a load-balanced cluster should typically be part of the same node group.

For reference :

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011.html#ID513

Regards

Gagan

PS: rate if it helps!!!!

Hi,

de1denta — Mon, 19 Sep 2016 09:40:08 GMT

Hi,

Thanks for the reply. I'm only looking to deploy a single PSN in each location so I dont think I need to create node groups, correct?

I just need to confirm for the HQ sites if we can have single VMs running the Admin/Monitoring/PSN services (HQ1 primary and HQ2 secondary) and then just PSN nodes in the US and European regions?

Many thanks

Hi,

Gagandeep Singh — Mon, 19 Sep 2016 15:18:22 GMT

Hi,

Ideally setup should work in WAN link. Just ensure network settings and less latency in the environment.

Please rate as correct if it helps!!!

Regards

Gagan

Hi,

Ryan Wolfe — Mon, 19 Sep 2016 16:59:14 GMT

Hi,

Officially, a distributed deployment with more than two PSNs (residing on the same servers as the primary and secondary PAN/MNT roles) is not a supported design. With only 2500 users, you likely do not need 4 PSNs anyway. I would recommend just having your two PAN/MNT servers, and deploying a VM PSN in the US and Europe as you intend today. The PSN roles on the PAN/MNTs are not necessary unless they are going to be at a location that may need a local PSN.

So, if you're only looking at needing 2 PSNs, I would have four total servers: 2xPAN/MNT, and 2xPSN (1 in US, 1 in Europe).

Take a look at BRKSEC-3699 on Cisco Live 365. It gives a great overview of the recommended designs.

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=90923&backBtn=true

HTH,

Ryan

Hi Will, I like to do the

Marcus Hunold — Thu, 27 Oct 2016 15:57:27 GMT

Hi Will, I like to do the same as you described. Have you already changed to this distributed deployment? Does it work?

Are there needed additional licenses?

BR Marcus

Re: Hi,

b.haxhiaj — Wed, 25 May 2022 08:48:36 GMT

In a distributed deployment, in case of hardware refresh:

Replacing the nodes with from 3655 (old) to 3595 (new) with same IP address and hostnames (FQDNs)

1. Configure first the 3595s in an offline environment with the same IP addresses as the nodes to be replaced.

2. Generate the CSRs of the 3595s and have them sign those certificates.

3. Bind the signed certificate to the CSRs of the 3595s.

4. De-register 3655 secondary node, then take it out of the network.

5. Register the configured 3595 as the secondary node (PAN, MNT, PSN).

6. Have your AD admin join the node to the Active Directory domain.

7. Promote the 3595 secondary node as the new Primary Node.

8. De-register the 3655 primary node, then take it out of the network.

9. Register the other prepared 3595 as the secondary node (PSN).

10. Have your AD admin join the node to the Active Directory domain.

Regarding TACACS+ network device administration:

a. There are 2 TACACS+ servers configured on IOS devices (router, switch etc...).

b. Each TACACS+ server has different key hash on running-config on IOS.

Is all information is propagated from PRI -> SEC ISE node, including both TACACS+ keys for network device administration?