09-19-2018 10:47 AM
Hi guys
My client has deployed many ACS env over the past years. They are looking at ISE and how to consolidate their various ACS env to 1 single ISE rightly sized
if there is a way to consolidate many ACS env (with various policy) and kind of assigning these Policies to certain PSNs in ISE? Like the previous ACS1 policies will be on PSN1 and PSN2, ACS2 on PSN3 and PSN4. Thx
Solved! Go to Solution.
09-19-2018 10:51 AM
09-19-2018 03:54 PM
As @Jason Kunst mentioned, the configuration will be identical on all ISE nodes. Not sure why you want a PSN to have its own set of policy sets, unless the rules are so complex that it makes sense to dedicate a platform just for a specific use case. In that case you'd need a PAN/PSN combo for each specific Policy Set grouping. Hard to maintain (no single pane (or 'pain') of glass) and more expensive due to extra license.
Not sure what business case you're trying to solve.
Sounds to me like they need to consolidate the access control logic to see whether they can simplify things.
09-19-2018 10:51 AM
09-19-2018 03:54 PM
As @Jason Kunst mentioned, the configuration will be identical on all ISE nodes. Not sure why you want a PSN to have its own set of policy sets, unless the rules are so complex that it makes sense to dedicate a platform just for a specific use case. In that case you'd need a PAN/PSN combo for each specific Policy Set grouping. Hard to maintain (no single pane (or 'pain') of glass) and more expensive due to extra license.
Not sure what business case you're trying to solve.
Sounds to me like they need to consolidate the access control logic to see whether they can simplify things.
09-20-2018 10:56 AM
Thank you Arne. My client is currently having 5 ACS deployments that are totally isolated from each other. They have a very specific set of policy for each ACS deployment.
Because of ISE scability, they thought of consolidating all the ACS sets to 1 Single ISE deployment meaning all the policies from the 5 ACS would be migrated to the same PAN then pushing to all the PSN.
However they are looking still at compartmentalizing their policy set for the various ACS previous admin on the same PAN. Like the would access ISE and easily find their way (policies) on the PAN and only the PSN that will handle these policies.
For example the ACS1 admin can access the PAN, but only their rules and PSN's. Hope that makes sense
09-21-2018 02:04 PM
09-19-2018 04:20 PM
Samuel, I would like to recommend ISE as a service to you, but it doesn't exist, the acronym was already taken by Infrastructure as a service.
Joking aside, this sounds like it would be a great use case for a MSP style ISE, where ISE is compartmentalized like VDCs on Nexus, or cpanel in the webhosting world. An overall admin view, then unique containers of ISE running on the same nodes.
I did run in to a situation where this would have been helpful. I have found it hard to mix large ACS/TACACS environments in with RADIUS and Trustsec deployments. We ended up deploying a separate TACACS ISE simply because the NAD and Admin structure was too different.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide