Solved: Re: ACS deployments consolidation to a single ISE deployment

Samuel Vuillaume · ‎09-19-2018

Hi guys

My client has deployed many ACS env over the past years. They are looking at ISE and how to consolidate their various ACS env to 1 single ISE rightly sized

if there is a way to consolidate many ACS env (with various policy) and kind of assigning these Policies to certain PSNs in ISE? Like the previous ACS1 policies will be on PSN1 and PSN2, ACS2 on PSN3 and PSN4. Thx

Jason Kunst · ‎09-19-2018

That’s not how ise policies translate. Would recommend building ISE in parallel and building it out from scratch and learning how it works and implementing new clean policies as you build out

View solution in original post

Arne Bier · ‎09-19-2018

As @Jason Kunst mentioned, the configuration will be identical on all ISE nodes. Not sure why you want a PSN to have its own set of policy sets, unless the rules are so complex that it makes sense to dedicate a platform just for a specific use case. In that case you'd need a PAN/PSN combo for each specific Policy Set grouping. Hard to maintain (no single pane (or 'pain') of glass) and more expensive due to extra license.

Not sure what business case you're trying to solve.

Sounds to me like they need to consolidate the access control logic to see whether they can simplify things.

View solution in original post

Jason Kunst · ‎09-19-2018

That’s not how ise policies translate. Would recommend building ISE in parallel and building it out from scratch and learning how it works and implementing new clean policies as you build out

Arne Bier · ‎09-19-2018

As @Jason Kunst mentioned, the configuration will be identical on all ISE nodes. Not sure why you want a PSN to have its own set of policy sets, unless the rules are so complex that it makes sense to dedicate a platform just for a specific use case. In that case you'd need a PAN/PSN combo for each specific Policy Set grouping. Hard to maintain (no single pane (or 'pain') of glass) and more expensive due to extra license.

Not sure what business case you're trying to solve.

Sounds to me like they need to consolidate the access control logic to see whether they can simplify things.

Samuel Vuillaume · ‎09-20-2018

Thank you Arne. My client is currently having 5 ACS deployments that are totally isolated from each other. They have a very specific set of policy for each ACS deployment.

Because of ISE scability, they thought of consolidating all the ACS sets to 1 Single ISE deployment meaning all the policies from the 5 ACS would be migrated to the same PAN then pushing to all the PSN.

However they are looking still at compartmentalizing their policy set for the various ACS previous admin on the same PAN. Like the would access ISE and easily find their way (policies) on the PAN and only the PSN that will handle these policies.

For example the ACS1 admin can access the PAN, but only their rules and PSN's. Hope that makes sense

Jason Kunst · ‎09-21-2018

I would recommend setting up ISE 2.4 and getting familiar with the UI. Perhaps you can separate policy sets depending on NADS and assigning RBAC depending on that

Damien Miller · ‎09-19-2018

Samuel, I would like to recommend ISE as a service to you, but it doesn't exist, the acronym was already taken by Infrastructure as a service.

Joking aside, this sounds like it would be a great use case for a MSP style ISE, where ISE is compartmentalized like VDCs on Nexus, or cpanel in the webhosting world. An overall admin view, then unique containers of ISE running on the same nodes.

I did run in to a situation where this would have been helpful. I have found it hard to mix large ACS/TACACS environments in with RADIUS and Trustsec deployments. We ended up deploying a separate TACACS ISE simply because the NAD and Admin structure was too different.