topic Hi, in Network Access Control

2-Node ISE Deployment - Best Practices?

CSCO10662744_2 — Mon, 11 Mar 2019 07:01:30 GMT

We're deploying a 2-node ISE cluster.

In the past we've always done:
Node1: PAN-Primary, MnTSecondary, PSN
Node2: PAN-Secondary, MnT-Primary, PSN

In a recent best practice slide deck, it shows using the same node1 for both primary PAN & MnT.

I wonder if that was a typo, or not a typo, but instead a new recommendation, or have I just been doing it the wrong way?
=======

Also, in a 2-node cluster, which node would you use as the "Primary" RADIUS server for the WLC & switches?
In the past I've always used whatever's NOT the primary MnT node, because it's busy doing a lot of logging and disk I/O.

However, doesn't the secondary MnT node also do the same logging as well, so it's just as busy?
So is the answer pretty much: doesn't matter, either node can provide equal amount of AAA service?

Hi,

Gagandeep Singh — Fri, 26 Aug 2016 22:11:56 GMT

Hi,

You can have a cluster where Primary admin node can act as secondary Mnt and PSN.

However, load balancing on NAD devices set on the basis of PSN configured first in the list. It is always recommended to have authentication for some devices on one PSN and rest to another PSN as first radius server.

Make sure ISE should have suppression enabled just to suppress anomalous clients for best practices.

Under Administration > System > setting > Protocols > radius.

Let me know if you have any concerns.

Regards

Gagan

Hi,

Gagandeep Singh — Fri, 02 Sep 2016 10:31:39 GMT

Hi,

Let me know if you still have any further concerns.

Regards

Gagan

PS: Please rate as correct if it helps!!!!