topic Re: ISE deployment in two data centers in Network Access Control

ISE deployment in two data centers

mgr — Thu, 12 Jul 2018 14:45:13 GMT

Hi,

We are looking for ISE deployment across two data centers for wired & wireless 802.1x authentication and posture assessment for corporate and VPN users.

Option 1 :

Data center 1:

1. PAN - Primary

2. MnT - Primary

3. PSN - Primary for DC1

Data center 2:

1. PAN - Secondary

2. MnT - Secondary

3. PSN - Primary for DC2

Option 2:

Data center 1:

1. PAN/MnT - Primary

2. PSN - Primary for DC1

Data center 2:

1. PAN/MnT - Secondary

2. PSN - Primary for DC2

Could you help clarify the below queries?

1. Can we put two PSNs in a device group(or we need more than two)?

2. Do we need to have dedicated "in-line posture" node for VPN users? Or can we use the PSN nodes itself?

3. In Option2, can we keep the PAN/MnT nodes across data centers or they have to be in the data centers?

Re: ISE deployment in two data centers

Craig Hyps — Thu, 12 Jul 2018 15:28:34 GMT

It is hard to say whether you need to dedicate nodes or not since no data provided on size of network. In general, PSNs that are in the same LAN campus would be part of same Node Group.

There is no longer an entity referred to as an Inline Posture node. This was removed many releases ago and the ASA can support Posture for VPN users without it. Traffic does not flow "through" PSNs. PSNs terminate RADIUS and Posture Assessment conversations with NAD and endpoint, respectively.

ISE supports L3 separation of PAN and MNT nodes (or PAN+MNT nodes) for geographic redundancy.

Re: ISE deployment in two data centers

mgr — Thu, 12 Jul 2018 16:21:12 GMT

Hi Chyps,

Thanks for your response. If i require posture assessment and remediation for Corporate LAN users in addition to VPN users, should i go with Anyconnect agent? Is there any other agent available for this purpose?

Re: ISE deployment in two data centers

Craig Hyps — Thu, 12 Jul 2018 16:25:06 GMT

Posture services with ISE require AnyConnect--either persistent or temporal agent. ISE can also integrate with other systems which report compliance. For example, ISE can query SCCM or Intune or MDM products regarding an endpoints compliance/posture status that do not entail the use of AnyConnect. However, if require ISE solution to perform the endpoint interrogation and remediation, then AC required.

Re: ISE deployment in two data centers

mgr — Fri, 13 Jul 2018 06:09:40 GMT

Hi Chyps,

Thanks a ton for your clear explanation. This answers my query completely.

Re: ISE deployment in two data centers

mgr — Mon, 16 Jul 2018 10:07:27 GMT

Hi,

To make myself very sure, Is the below mentioned diagram a valid design for positioning the ISE components? I am planning to position two PSNs one in each data cener. In case, the local PSN fails, the endpoints need to authenticate with the other DC's PSN.

Re: ISE deployment in two data centers

laurathaqi — Fri, 05 Feb 2021 09:28:58 GMT

Hi @mgr

Did you test your design? Can u please share more information about the outcome of the design in regards the L3 different center deployment of two PSNs, PAN and MnT nodes?

I do have almost the same setup and I would like to understand best practices.

Thank you,

Laura

Re: ISE deployment in two data centers

Marcelo Morais — Fri, 05 Feb 2021 17:31:00 GMT

Hi @laurathaqi

this is an old post (Jul, 2018) ... so please take a look at the following links:

1. ISE Performance & Scale ... search for Maximum Network Latency Between Nodes (300 ms - ISE 2.1+)

2. ISE Admin Guide 2.7 ... search for Create a Policy Service Node Group ("... make all PSNs in the same local network part of the same Node Group ...")

Hope this helps !!!

Re: ISE deployment in two data centers

laurathaqi — Fri, 05 Feb 2021 19:54:12 GMT

Hi @Marcelo Morais

Thank you for sharing the information. Highly helpful.

Best wishes,

Laura