topic Re: PSN node Cisco ISE in Network Security

PSN node Cisco ISE

Tutu — Fri, 06 Nov 2020 07:12:48 GMT

Hello,

I want to know, are we supposed to create all the policies in the PSN node?

Thanks

Re: PSN node Cisco ISE

Nicolai Borchorst — Fri, 06 Nov 2020 07:50:41 GMT

No, the PSN node is responsible for network access request processing, RADIUS, Posture, Profiling, Web Redirection and Guest Portal. In short, all communication from your network environment goes to the PSN for processing.

All configurations such as Policies, Guest Portal, External Identity Stores etc. is done on the PAN (Policy Administration Node) while the MnT (Monitoring & Troubleshooting) node collects logs from your PAN, PSN and Network Devices (NAD's)

Re: PSN node Cisco ISE

balaji.bandi — Fri, 06 Nov 2020 09:32:51 GMT

ISE has 3 components - ( Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy and scalability).

Policy Administration Node (PAN)
Monitoring Node (MnT)
Policy Services Node (PSN)

coming to your point - Policy Administration Node is where the administrator configure policies and make changes to the entire ISE system

Re: PSN node Cisco ISE

Tutu — Mon, 09 Nov 2020 09:50:50 GMT

thank u for that,

Also which would u consider the best way to do a user and machine authentication ?

Re: PSN node Cisco ISE

Mohammed al Baqari — Mon, 09 Nov 2020 16:05:24 GMT

I have used MAR and EAP-FAST with chaining. MAR can be flicky while
chaining will always work from my experience. So I suggest that you go for
chaining with anyconnect as NAM supplicant.

**** please remember to rate useful posts

Re: PSN node Cisco ISE

Tutu — Mon, 09 Nov 2020 18:01:02 GMT

So I have used eap chaining and I am facing some issues. the endpoint is already using anyconnect for wireless, and when i connect an endpoint to the switch it is not hitting any of the policies I have created for EAP chaining, in fact, it picks up the employee unknown policy for provisioning and does not detect that the endpoint already has anyconnect.

Re: PSN node Cisco ISE

Nicolai Borchorst — Mon, 09 Nov 2020 18:41:58 GMT

So the Anyconnect NAM module is already deployed for Wireless 802.1X? In that case you need to create an XML profile for Wired 802.1X using EAP-FASTv2 and enable Wired Autoconfig service in Windows.

See this document for reference https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html

Re: PSN node Cisco ISE

Tutu — Mon, 09 Nov 2020 19:00:00 GMT

No wireless was not configured for ISE, but they use it when connecting to wireless normally, so when i connect my pc it shows that wired anyconnect has been connected but nothing happens after. So not really sure wht is actually going on.