topic Re: ISE Replication Process in Network Access Control

ISE Replication Process

gugonza2 — Mon, 13 Aug 2018 07:50:13 GMT

Hi Team,

I have a customer asking about Replication details in ISE, some questions:

- Is there any replication between Active Directory and PAN and PSN ?

- How is the Replication process between PAN, PSN and Active Directory ?

- What happen if I have a PSN with limited connections and can´t synchronize in 3 months ? will PSN stop functions without sync ?

Thanks in advanced.

Guillermo.

Re: ISE Replication Process

RichardAtkin — Mon, 13 Aug 2018 08:16:57 GMT

No. ISE queries AD via a Machine Account that exists in the domain. The ISE may cache previously successful authentications for a short period of time, but that's all. If a PSN isn't able to talk to AD for an extended period of time then it's Machine Account may expire and you may have to re-join it to the domain before it will authenticate Users again.

ISE does replicate its own config amongst the other participating ISE nodes, but I can't say I've ever tried leaving one stranded for three months... I can't imagine this being a strategy to encourage, especially if it's just a PSN and no PAN/MNT functionality to go with it. In this kind of use case you may be better off building it as a standalone box then at least you still have the ability to make changes, look at logs, not worry about using it in a way that it wasn't designed to support, etc.

Re: ISE Replication Process

gugonza2 — Mon, 13 Aug 2018 16:21:19 GMT

Thanks Richard.

The situation is; the customer has a movile site with large disconnected periods of time, the possible solution could include a redundant deployment with some PSNs with periods of disconnection.
The question is; if I have a PSN connected and synchronized with PAN/MnT, what will happen if this PSN disconnects from PAN/MnT ? it will work authentication/authorization ?
What is going to be the impact every time the PSN reconnect to network ?

Thanks in advanced.

Re: ISE Replication Process

gugonza2 — Thu, 16 Aug 2018 08:17:13 GMT

Hi Again,

Any comment or suggestion about my last update ? :

- PSN connected and synchronized with PAN/MnT, what will happen if this PSN disconnects from PAN/MnT ? it will work authentication/authorization ?

- Any issue if PSN is disconnected (no connection to PAN/MnT) form large period of time ?
- What is going to be the impact every time the PSN reconnect to network ?

Thanks in advance.

Re: ISE Replication Process

Craig Hyps — Thu, 16 Aug 2018 12:12:46 GMT

You may want to take a look at BRKSEC-3699 (reference version) available on ciscolive.com. Look for latest session from Orlando 2018. The session goes into some detail on replication process between PSNs and PAN. If replication queue on Primary PAN exceeds 1M messages, it will disconnect node and that node will require manual sync to restart automatic replication. In the process, a full sync of current config will be pulled down. If WAN/network conditions exist that will lead to this condition often, then consider making it separate deployment.

For MnT operational data, you can still send logs from one deployment to another to get central visibility into who is logging into network. PSNs will currently not buffer UDP logs when there is a network outage, but will buffer TCP and Secure Syslog up to the configured value (say 200MB) and will update MnT when connection reestablished.

/Craig