topic Re: Cisco ISE - Deployment question in Network Access Control

Cisco ISE - Deployment question

hervej — Wed, 07 Sep 2022 10:45:42 GMT

Hello,

I have a small question about the deployment of Cisco ISE.

Actually we are running a cluster of 2 members, each hosting PAN-MnT-PSN.

We want to extend the ISE functions to our "industrial network" separated by a DMZ.

To limit the trafic between the 2 zones, I would like to add one (or 2 for redundancy) server running only PSN server.

Is this kind of deployment allowed and supported by TAC ? If yes do I need a full ISE license or there are licenses to only run specific services of ISE ?

Thanks for your help.

Herve

Re: Cisco ISE - Deployment question

ahollifield — Wed, 07 Sep 2022 12:28:14 GMT

You will need to move to the Medium deployment as mentioned here: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Concept.dita_67b428f0-2240-4383-bd49-5eb7a7b98a35

You will need the following to remain in a supported Topology:

PAN + MnT
PAN + MnT
PSN
PSN
DMZ
- PSN
- PSN

Re: Cisco ISE - Deployment question

rschlayer — Wed, 07 Sep 2022 13:25:23 GMT

For any additional PSN you deploy (if virtual) you need to get a VM License (either VMS or VMC - see ordering guide).
It it not supported to go with 2x PSN, and 2x PSN,PAN,MNT. You need a medium deployment with separate PSN nodes from your PAN/MNT nodes.
See here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

BG
Rick

Re: Cisco ISE - Deployment question

hervej — Wed, 07 Sep 2022 14:13:40 GMT

Re: Cisco ISE - Deployment question

ahollifield — Wed, 07 Sep 2022 14:37:13 GMT

Assuming LDAP means AD? Then its best practice to have all ISE nodes joined to the domain so you can do RBAC login to ISE using AD. If LDAP will strictly be for network authentication only (not AD or used for ISE admin login) then only the PSNs will need to talk to the LDAP server.

Re: Cisco ISE - Deployment question

hervej — Fri, 09 Sep 2022 07:05:06 GMT

Indeed I mean AD and it's a different domain in IT and OT.

What would be the best practice in this case as we are using RBAC in the IT side ?

PAN/MnT server installed in DMZ (able to reach AD at both side), PSN in OT and IT zone reaching their "local" AD ?

Re: Cisco ISE - Deployment question

ahollifield — Fri, 09 Sep 2022 14:35:09 GMT

You should integrate all ISE nodes with both ADs. A properly configured AD sites and services would allow the ISE nodes to contact their local domain controllers.