Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
1
Replies

ISE / Merging two separate ISE Deployments into one

klauerma
Cisco Employee
Cisco Employee

‎09-18-2019 01:28 PM - edited ‎09-18-2019 01:29 PM

I have a customer that has ISE deployed and has acquired another company that has their own separate ISE deployment.   The customer was wondering if we have a best practices guide to address the merging of these two separate ISE deployments into a single deployment.   Any input based on the below information will be appreciated.

 

Here is there scenario:

 

The customer has 2 different locations that are each running independent ISE Implementations.

Branch 1 - 2 admin/monitoring nodes and 2 PSN's 2,500 Base Licenses
Branch 2 - 2 admin/monitoring nodes and 2 PSN's 2,500 Base Licenses

 

All 4 of these servers at each site are suppose to be 3395's.

 

The customer is going to eliminate these implementations of ISE and position a single ISE Deployment in their HQ.

 

Greenfield HQ
===========
2 Admin and Monitoring Nodes Licensed for 10k users


4 PSN's

 

They want to place a Netscaler Load Balancer in front of the PSN's and distribute traffic to them.

 

They have a requirement that nothing can be changed on the NAD's as far as AAA Radius Server IP Address's so therefore the Netscaler box will need to represent 4 VIPs--the AAA server addresses.

 

They want authentication requests from Branch 1 to be directed to two dedicated PSN's and requests from Branch 2 to be directed to the other two PSN's.

 

They wanted a backup scenario in the event they lost the netscaler and I don't see that capability existing as nothing can be modified on the NAD--just the LB or PSN's.

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎09-19-2019 02:23 AM

Hi @klauerma 

 

If the NAD devices are not to be touched/changed, then the VIP concept will work.  My only question would be whether the CoA Client definitions on the NAD can be accomodated with this design. The Netscaler will have to Source NAT the RADIUS requests initiated from the PSN nodes to be that of the VIP - I don't know how you would do that? Without the SNAT, the CoA traffic will look like it came from the PSN's real IP address, which will then be rejected by the NAD.  The solution would be to change the NAD config to allow CoA from the real PSN Source IP address. Apparently SNAT for CoA is commonly done and Netscaler should support that.

As for the failover - wow! Yeah - if Netscaler VIPs go away then the NADs have nothing to talk to. Game over.  Reconfiguring a bunch of PSN's is not a clean solution. It would make more sense to ensure that the Load Balancer infrastructure is redundant and highly available (I know I am preaching to the choir ...)

To be honest, even if the customer allowed to re-configure the RADIUS servers on the NADs, then you would still need to ensure that the PSN's have the correct IP return path for that traffic (check the PSN routing tables and see what the default gateway is ... will it be able to return the RADIUS traffic sent directly by the NADs? Ifd not, then you would need to add some static routes to the PSN). It would be a nightmare.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents