topic Re: Can deploy Cisco ISE 2 Cluster for VPN GW in Network Access Control

Can deploy Cisco ISE 2 Cluster for VPN GW

jewfcb001 — Wed, 16 Mar 2022 10:10:28 GMT

Hi All ,

I have plan to deploy Cisco ISE 2 Cluster and 2 Cluster but configuration and internal user it's same .

In Case Cisco ISE Clustuer-1 or Cluster 2 Fail All , I'm not sure I facing issue about session struck or accounting stuck or not ? The customer need to separate Group of Cisco ISE

Re: Can deploy Cisco ISE 2 Cluster for VPN GW

Rob Ingram — Wed, 16 Mar 2022 10:35:21 GMT

@jewfcb001 I'm not really sure of the question here, but you can configure the VPN GW (either ASA or FTD) to use ISE cluster for aaa. If you have different ASA/FTD connection profiles/tunnels groups you could point these to different ISE clusters.

Re: Can deploy Cisco ISE 2 Cluster for VPN GW

balaji.bandi — Wed, 16 Mar 2022 10:48:23 GMT

as mentioned other post we are not clear what is the issue or what you trying to achive here :

look some deployment guide can help you :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

Re: Can deploy Cisco ISE 2 Cluster for VPN GW

jewfcb001 — Wed, 16 Mar 2022 10:50:50 GMT

@Rob Ingram

Hi Rob . I mean if I have tunnel-group and point to 4 ISE (ISE 1.1.1.1 and 1.1.1.2 same cluster) and (ISE 2.1.1.1 and 2.1.1.2 same cluster) Incase ISE 1.1.1.1 and ISE 1.1.1.2 down . Can VPN gateway authentication to ise cluster-2 and do you have concern with my scenario ?

example

aaa-server ISE protocol radius
aaa-server ISE (inside) host 1.1.1.1
aaa-server ISE (inside) host 1.1.1.2

aaa-server ISE (inside) host 2.1.1.1

aaa-server ISE (inside) host 2.1.1.2

Re: Can deploy Cisco ISE 2 Cluster for VPN GW

jewfcb001 — Wed, 16 Mar 2022 10:53:11 GMT

@balaji.bandi

Hi balaji ,

as i explain Rob above . Can VPN gateway authentication to ise cluster-2 incase ise 1.1.1.1 and ise 1.1.1.2 down. ?

example

aaa-server ISE protocol radius
aaa-server ISE (inside) host 1.1.1.1
aaa-server ISE (inside) host 1.1.1.2

aaa-server ISE (inside) host 2.1.1.1

aaa-server ISE (inside) host 2.1.1.2

Re: Can deploy Cisco ISE 2 Cluster for VPN GW

Rob Ingram — Wed, 16 Mar 2022 10:55:46 GMT

@jewfcb001 1 tunnel group pointing to 2 separate ISE clusters, that's not really a great idea in my opinion. You'd have to configure both ISE clusters independantly and there are chances of misconfiguration on one ISE cluster but not the other.

You could do what you suggested, but configuring the VPN gateway to authentication to 1 ISE cluster with 2 (or more) PSN nodes should be sufficient.

Re: Can deploy Cisco ISE 2 Cluster for VPN GW

jewfcb001 — Wed, 16 Mar 2022 11:03:05 GMT

@Rob Ingram

Thank you for your information . I accept with you recommend but I get requirement from the customer . I don't understand this scenario from the customer. About misconfiguration on one ISE cluster i try to tell the customer . He understand for this .

But if this scenario I can do but have any concern i will let him know.