topic Re: ISE Deployment Advise in Network Access Control

ISE Deployment Advise

NETAD — Wed, 26 Sep 2018 19:17:13 GMT

Hello, I have a client who will be deploying ISE as a radius proxy server only. He will be doing it for corp wireless to relay authentication requests to an MFA server and he doesn't want to do any further authorization on ISE.

He has a about 1 to 2 thousands wireless devices and might scale to a slightly higher number of devices in the future.

60 sites with 3 data centers and want to deploy the ISE nodes across those 3 DC locations for high availability.

What's the minimum number of ISE nodes can we deploy for him and put him in a position that allows him to scale in the future if he decides to do more on ISE and add more PSNs following the Cisco recommendations.

Is a 2 node deployment an option:

Node 1: Primary Admin, Secondary MnT, PSN

Node 2: Secondary Admin, Primary MnT, PSN

Or is a 3 node deployment a supported Cisco design?

Node 1: primary Admin, Secondary MnT, PSN

Node 2: Secondary Admin, Primary MnT, PSN

Node 3: PSN

or 4 or 5?

Thanks

Re: ISE Deployment Advise

Jason Kunst — Wed, 26 Sep 2018 19:20:44 GMT

I would recommend a small ise deployment with 2 servers running all personas (PAN,MNT,PSN) for HA

The supported configurations are here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-0000008e

Re: ISE Deployment Advise

NETAD — Wed, 26 Sep 2018 19:31:22 GMT

Thanks Jason is a three or a four node deployment doable at all I know it’s not in the deployment guide but will Cisco still support this model? and How would you configure the personas? the customer keeps asking for a three or four node deployment.

Also of we go with 3 or 4 would be the same process to add psns down the road?

Re: ISE Deployment Advise

Jason Kunst — Wed, 26 Sep 2018 19:44:44 GMT

The guide shows what’s supported

If you want standalone PSNs you have to move to medium deployment that doesn’t allow that persona to run on same box as PAN/MNT

I would recommend starting in small deployment and then later migrate PSNs to medium or even large down the road. You could start with a large appliance so that could always be ready for any deployment size . You can always disable the small deployment psn easily in the UI

Re: ISE Deployment Advise

NETAD — Wed, 26 Sep 2018 20:25:32 GMT

So pretty much start with a small deployment with al all personas then down the road disable the PSNs in the UI, and add standalone PSNs.

Re: ISE Deployment Advise

Jason Kunst — Wed, 26 Sep 2018 20:28:34 GMT

Yes

Re: ISE Deployment Advise

NETAD — Wed, 26 Sep 2018 20:38:57 GMT

Sounds good. Is it possible to just add one standalone psn to the existing 2?

Re: ISE Deployment Advise

Jason Kunst — Wed, 26 Sep 2018 21:03:34 GMT

No as stated before its not supported unless you separate into medium deployment

Re: ISE Deployment Advise

NETAD — Wed, 26 Sep 2018 21:40:47 GMT

Thanks. We will be going with a 4 node deployment.
HQ:
Node #1: Primary Admin, Secondary MnT
Node #2: PSN#1
DC
Node #3: Secondary Admin, Primary MnT
Node #4: PSN#2

Re: ISE Deployment Advise

NETAD — Thu, 27 Sep 2018 13:28:29 GMT

Hi Jason, the customer is insisting on 3 standalone ISE nodes and mirroring the config on all nodes. His excuse is that ISE isn't doing what ISE is supposed to be doing. What would be the implications of a such design.

Re: ISE Deployment Advise

Jason Kunst — Thu, 27 Sep 2018 13:55:41 GMT

Now you’re talking about two different things.

As stated before the supported options are in the guys that I shared with you. Other combinations are not tested and therefore not supported.

I see no issue going with a standalone deployment using two separate boxes for high-availability . Each box has a policy service now and running on it and your network access devices would point to each for failover. As we discussed before this can be easily scaled up by removing those personas and then turning them up on separate boxes. This is the recommended approach.If he you are utilizing virtual machines then it makes it even easier to size and split them out. If you’re going with appliances You can start small and when customer decides to split then they could repurpose them as PSNs and then buy larger appliance as admin/monitor

Otherwise It seems like you’re now talking about three separate ise deployments. This is wrong on many levels.
#1 information and configuration will not be synchronized between the deployments . There is no manager of managers
#2 since your network access devices will point to a PSN in one deployment and then fail over to another deployment The endpoint information will be mismatch and start fresh
#3 I believe you have to pay for services support for each?
#4 for standard licensing you would have to purchase separate licenses
#5 There are more but I’m pretty much tapped out. This is not a good approach

Re: ISE Deployment Advise

NETAD — Thu, 27 Sep 2018 14:21:08 GMT

Thank you Jason. I'm proposing all the supported designs from the Cisco design guide but the customer keeps coming back and insisting on the wrong design and he doesn't care much about re-desigining down the road or being unsupported. I liked all the reasons you provided for a 3 standalone deployment and I agree it's wrong.

I suggested a small deployment with 2 nodes running all personas or a 4 node deployment like I mentioned before but he came back asking for 3!!

When you say "I see no issue going with a standalone deployment using two separate boxes for high-availability" are you referring to the small deployment with 2 admin (1primary one secondary) 2 MnTs (1 primary, one secondary) and 2 PSNs (both active) and of course building that trust relationship between the 2.

Thanks for your help and prompt responses to me.

Re: ISE Deployment Advise

Jason Kunst — Thu, 27 Sep 2018 14:30:41 GMT

Sorry unfortunately customer is wrong and this has to stop 🙂

Quote:
When you say "I see no issue going with a standalone deployment using two separate boxes for high-availability" are you referring to the small deployment with 2 admin (1primary one secondary) 2 MnTs (1 primary, one secondary) and 2 PSNs (both active) and of course building that trust relationship between the 2.

Recommendation is
Small deployment standalone
2 boxes running pan/mnt/pan on each box.
Box1 runs primary pan/mnt
Box2 runs secondaries
Each box has active psn
This is all in the deployment guide

Re: ISE Deployment Advise

NETAD — Thu, 27 Sep 2018 14:33:03 GMT

Hoping he will today 🙂 Thanks for your help.