cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2067
Views
0
Helpful
4
Replies

ACS Deployment to ISE

dmr23
Level 1
Level 1

Hi

I have an ACS deployment which I need to migrate to ISE. What are the recommendation if the ACS consist in 3 nodes? For small ISE deployments cannot in odd nodes; 1 node for PAN, 1 Secondary and 1 PSN which means that the PSN wont be in HA. What would be the best approach for 3 ACS nodes? 

 

Regards

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

You should be fine with 2 ISE nodes for scale and HA.

Verify your scale needs @ https://cs.co/ise-scale

See https://cs.co/acstoise for the actual migration considerations.

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Why you have ACS 3 nodes? distributed deployment?  what is the role of ACS for now?

ISE only device administration or dot1.X authentication

 

If it is not large you can deploy 2 nodes deployment active/ standby

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

 

 

more resource can be find here :

 

https://community.cisco.com/t5/security-documents/cisco-ise-amp-nac-resources/ta-p/3621621#Implement

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hi Balaji,

 

Why you have ACS 3 nodes?

The ACS deployment was configured too many years ago, I don't have an answer for that.

 

what is the role of ACS for now?

Node 1 Primary, 2 and 3 nodes are for Tacacs 

 

ISE only device administration or dot1.X authentication

So we are only interested in TACACS management, dot1.x is not required.

 

We cannot change the numbers of nodes with the role for TACACS as we have thousand of devices pointing to the ACS nodes, we must match the number of ACS nodes receiving TACACS traffic for PSN in the ISE deployment. So using 1 PSN , 1 Primary and 1 Secondary wont have HA in ISE or wont match the network devices sending the traffic for to nodes. 

 

I would like to have the best recommendation in this scenario. 

 

Thanks in advance.

 

I was just advising since you refreshing the to new technology take best of it make high availability.

I am sure all the devices required for TACACS may have configured primary and secondary.  So in this case building 2 node primary secondary have high availability and consolidating the exiting environment with correct design - so look tidy job nice - this is my suggestion.

 

If the thousands of device point to only 1 ACS  - not to group, then it time for correct it - i am sure you configured fall back to local account in case ACS fails,

 

you can make a small script to change the device entries to use Group - if you like to make a good job  - this pure decision how the business wants it or one wants to do it in the right way.

 

So using 1 PSN , 1 Primary and 1 Secondary wont have HA in ISE or wont match the network devices sending the traffic for to nodes. 

this also works - if you like to move forward with this approach.

 

I have seen places, all Cisco CVD can not be used and deployed,  due to business other decision,

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas
Cisco Employee
Cisco Employee

You should be fine with 2 ISE nodes for scale and HA.

Verify your scale needs @ https://cs.co/ise-scale

See https://cs.co/acstoise for the actual migration considerations.