cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

183
Views
0
Helpful
5
Replies
Highlighted
Beginner

ISE PSN License

We currently have ISE 1 and ISE 2 in deployment and it is our inside firewall. I am thinking adding additional stand alone ISE3 PSN dedicated just in DMZ zone for guest that are going to be anchor to that zone. It is going to be strictly to be use for sponsored CWA.

 

A base license and endpoints license like if we want to support 100-500 endpoints for guest it is what I need correct?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE PSN License

Also you need to clarify what exactly you’re trying to do? It sounds like you want to stand up a separate ISE deployment for guest only? That’s fine customers do that for total isolation. I would recommend a standalone HA deployment (small) for that.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

Otherwise like tim said. Please look at guest deployment guide for PSN interface options
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

That would need base licenses for guest and all depends on how many you anticipate (would recommend looking at ordering guide as well).
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
5 REPLIES 5
Cisco Employee

Re: ISE PSN License

Instead of standing up another PSN, why not use one of the existing PSNs and put one of the interfaces in the DMZ VLAN? ISE PSNs do not route traffic between interfaces and can serve up the portal on that interface.

Regards,
Tim
Cisco Employee

Re: ISE PSN License

Also you need to clarify what exactly you’re trying to do? It sounds like you want to stand up a separate ISE deployment for guest only? That’s fine customers do that for total isolation. I would recommend a standalone HA deployment (small) for that.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

Otherwise like tim said. Please look at guest deployment guide for PSN interface options
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

That would need base licenses for guest and all depends on how many you anticipate (would recommend looking at ordering guide as well).
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
Beginner

Re: ISE PSN License

This is exactly what we have now. We have two interface on our virtual primary ISE, one is inside and other is in the DMZ were it responds to 8443 cwa portal for guest authentication/authorization. It works great and we think it is perfect.

 

I am trying to convince my boss to purchase it just for the sake of isolating, standalone ISE in the DMZ zone. This includes me gathering how much would cost and the required license. 

 

Does the standalone ISE 3 needs to talk to ISE 1 and ISE 2 from DMZ to the inside for any data?

Cisco Employee

Re: ISE PSN License

A standalone ISE deployment is totally separate and doesn’t talk inside at all. Unless you want it to do something internal ☺ It might be unnecessary as the system as secure. However if you have requirements to total isolate then that’s fine.

Another nice think about separate deployment is you can update it separate from internal if needed for fixes or features down the road.

I would recommend talking to sales about what you should be purchasing as well so they can help design and get the right support and licenses
Beginner

Re: ISE PSN License

Got it. How do you handle the management on that ISE? What would be the best practice or ideal into managing an isolated ISE?