topic Just so we are clear, ISE in Network Access Control

Utilizing PSN node groups in multiple datacenters

amohammed01 — Mon, 11 Mar 2019 06:04:09 GMT

I was looking for some information, I am setting up a Distributed Deployment of ISE. We have two data center each will have its own PSN Node group (load balanced), I need a strategy where we can make sure that all NADs are not pointing to one PSN node group. In the switch config I only see the option of listing the radius server where the first one listed is referenced and secondary IP is only used if the primary Radius server is not available. We have many branch sites that we would like deploy ISE, we would like to distribute the Radius AuthC/AuthZ evenly between the two DC.

Thanks

-Amin

Just so we are clear, ISE

jan.nielsen — Fri, 18 Sep 2015 16:46:55 GMT

Just so we are clear, ISE node groups does not do load-balancing, you need an external load-balancer for this. If you are in fact using a load-balancer for each DC, then you could just manually have half of your switches use one vip for primary and one for secondary, and the other half reversed. Also, if you use aaa server groups in your switch, you can also do local switch "load-balancing", based on how many active session are on each radius server in the group.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/15-sy/sec-usr-rad-15-sy-book/sec-rad-load-bal.html#GUID-EAADC56D-9634-49B9-A3DF-06932A3DCA1E

Re: Just so we are clear, ISE

aasaadsavola — Mon, 27 Jan 2020 10:25:39 GMT

For Correction the statment :

if you use aaa server groups in your switch, you can also do local switch "load-balancing", based on how many active session are on each radius server in the group.

aaa server groups in your switch, it does not do a function of Load balancer- the function is that all the session will hit first PSN and Second PSN will work as Backup for radius Requests