https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461678#M539311 <HTML><HEAD></HEAD><BODY><P>Its best to try and stay away from deployments using IPN where possible. On the VPN side the ASA support COA natively. As we increase 3rd party support there will be less of a need for the IPN.</P><P></P><P><A href="http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html" title="http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html">ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco</A></P><P></P><P>Notice in ISE 2.0 that its no longer supported</P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-587660" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-587660">Release Notes for Cisco Identity Services Engine, Release 2.0 - Cisco</A></P></BODY></HTML> Tue, 29 Mar 2016 14:57:46 GMT Jason Kunst 2016-03-29T14:57:46Z https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461674#M539305 <HTML><HEAD></HEAD><BODY><P>Hello Team,</P><P>how many standalone IPN nodes can work simultaneously in ISE deployment? My customer adds one IPN and do not switch on HA settings. After that he adds a second one and it already do not have Standalone options (Deployment Modes, Filters, Radius Config, Managed Subnets etc.). Is it expected that second node added is treated by ISE as secondary? Thank you for answer.</P><P></P><P>Best regards,<BR />Jan</P></BODY></HTML> Tue, 29 Mar 2016 10:51:07 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461674#M539305 janwegrz 2016-03-29T10:51:07Z https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461675#M539306 <HTML><HEAD></HEAD><BODY><P>According to the ISE 1.4 Admin Guide:</P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD> <P>Unlike other personas, Inline Posture is unable to share a node with other services. This inability to share a</P> <P>node means that Inline Posture must be a dedicated node that is registered to the PAN on your network.</P> <P></P> <P><STRONG>Cisco ISE allows you to have up to two Inline Posture nodes configured as an active-standby pair for high </STRONG><STRONG>availability.</STRONG></P> </TD></TR></TBODY></TABLE></BLOCKQUOTE><P></P><P>A maximum of 2 IPN are allowed in an ISE deployment.&nbsp; One acting as an HA standby.&nbsp; I have linked the specific section below.</P><P></P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_0100.html#ID61" title="http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_0100.html#ID61">Cisco Identity Services Engine Administrator Guide, Release 1.4 - Set Up Inline Posture [Cisco Identity Services Engine…</A></P><P></P><P></P><P>Charles Moreton</P></BODY></HTML> Tue, 29 Mar 2016 14:27:45 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461675#M539306 Charlie Moreton 2016-03-29T14:27:45Z https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461676#M539307 <HTML><HEAD></HEAD><BODY><P>IPNs are considered Network Access Devices on the network so it will support many of them <IMG src="https://community.cisco.com/legacyfs/online/emoticons/happy.png" /></P><P></P><P>In the document it actually says <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px;">At any network entry point, like VPN headend using ASA or group of ASAs in an HA cluster, a maximum of 2 Inline Posture nodes can be deployed as active-standby pair for high-availability. You can have several HA pairs in a deployment.</SPAN></P><P></P><P>In this guide it also explains it a little differently</P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html#29252" title="http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html#29252">Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 - Network Deployments in Cisco ISE [Cisco Identi…</A></P><H2 class="p_H_Head1" style="font-size: 14px; color: #336666; font-family: Arial, Helvetica, sans-serif; margin: 14px 0 7px -0.1in;">Inline Posture Planning Considerations</H2><P class="pB1_Body1" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0 6px;"><A name="pgfId-1153230"></A>A network or system architect is responsible for researching the issues involved in Inline Posture deployment to determine what best suits network requirements.</P><P class="pB1_Body1" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0 6px;"><A name="pgfId-1153770"></A>A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes:</P><UL><LI><A name="pgfId-1153231"></A>Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.</LI><LI><A name="pgfId-1153790"></A>What type of Inline Posture operating modes will you choose?</LI></UL></BODY></HTML> Tue, 29 Mar 2016 14:38:52 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461676#M539307 Jason Kunst 2016-03-29T14:38:52Z https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461677#M539309 <HTML><HEAD></HEAD><BODY><P>Interesting.&nbsp; Though I do not see where it states that you can have multiple IPN HA Pairs.&nbsp; All I see is this statement:</P><P></P><P>Cisco ISE allows you to have two Inline Posture nodes, and they can take on primary or secondary roles for high availability.</P><P>and</P><P>Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.</P><P></P><P>It would certainly make sense to allow for multiple instances, but the documentation seems lacking.&nbsp; <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P><P></P><P>Maybe different network segments or entry points on separate networks...</P></BODY></HTML> Tue, 29 Mar 2016 14:49:51 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461677#M539309 Charlie Moreton 2016-03-29T14:49:51Z https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461678#M539311 <HTML><HEAD></HEAD><BODY><P>Its best to try and stay away from deployments using IPN where possible. On the VPN side the ASA support COA natively. As we increase 3rd party support there will be less of a need for the IPN.</P><P></P><P><A href="http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html" title="http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html">ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco</A></P><P></P><P>Notice in ISE 2.0 that its no longer supported</P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-587660" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-587660">Release Notes for Cisco Identity Services Engine, Release 2.0 - Cisco</A></P></BODY></HTML> Tue, 29 Mar 2016 14:57:46 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-inline-posture-nodes/m-p/3461678#M539311 Jason Kunst 2016-03-29T14:57:46Z