cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

459
Views
0
Helpful
5
Replies
Samuel Vuillaume
Cisco Employee

ACS deployments consolidation to a single ISE deployment

Hi guys

 

My client has deployed many ACS env over the past years. They are looking at ISE and how to consolidate their various ACS env to 1 single ISE rightly sized

if there is a way to consolidate many ACS env (with various policy) and kind of assigning these Policies to certain PSNs in ISE? Like the previous ACS1 policies will be on PSN1 and PSN2, ACS2 on PSN3 and PSN4. Thx

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jason Kunst
Cisco Employee

That’s not how ise policies translate. Would recommend building ISE in parallel and building it out from scratch and learning how it works and implementing new clean policies as you build out

View solution in original post

Arne Bier
VIP Advisor

As @Jason Kunst mentioned, the configuration will be identical on all ISE nodes. Not sure why you want a PSN to have its own set of policy sets, unless the rules are so complex that it makes sense to dedicate a platform just for a specific use case.  In that case you'd need a PAN/PSN combo for each specific Policy Set grouping.  Hard to maintain (no single pane (or 'pain') of glass) and more expensive due to extra license.

Not sure what business case you're trying to solve. 

Sounds to me like they need to consolidate the access control logic to see whether they can simplify things.

View solution in original post

5 REPLIES 5
Jason Kunst
Cisco Employee

That’s not how ise policies translate. Would recommend building ISE in parallel and building it out from scratch and learning how it works and implementing new clean policies as you build out
Arne Bier
VIP Advisor

As @Jason Kunst mentioned, the configuration will be identical on all ISE nodes. Not sure why you want a PSN to have its own set of policy sets, unless the rules are so complex that it makes sense to dedicate a platform just for a specific use case.  In that case you'd need a PAN/PSN combo for each specific Policy Set grouping.  Hard to maintain (no single pane (or 'pain') of glass) and more expensive due to extra license.

Not sure what business case you're trying to solve. 

Sounds to me like they need to consolidate the access control logic to see whether they can simplify things.

Thank you Arne. My client is currently having 5 ACS deployments that are totally isolated from each other. They have a very specific set of policy for each ACS deployment.

 

Because of ISE scability, they thought of consolidating all the ACS sets to 1 Single ISE deployment meaning all the policies from the 5 ACS would be migrated to the same PAN then pushing to all the PSN.

 

However they are looking still at compartmentalizing their policy set for the various ACS previous admin on the same PAN. Like the would access ISE and easily find their way (policies) on the PAN and only the PSN that will handle these policies.

 

For example the ACS1 admin can access the PAN, but only their rules and PSN's. Hope that makes sense

 

 

 

 

 

I would recommend setting up ISE 2.4 and getting familiar with the UI. Perhaps you can separate policy sets depending on NADS and assigning RBAC depending on that
Damien Miller
VIP Advisor

Samuel, I would like to recommend ISE as a service to you, but it doesn't exist, the acronym was already taken by Infrastructure as a service. 

 

Joking aside, this sounds like it would be a great use case for a MSP style ISE, where ISE is compartmentalized like VDCs on Nexus, or cpanel in the webhosting world.  An overall admin view, then unique containers of ISE running on the same nodes.

 

I did run in to a situation where this would have been helpful.  I have found it hard to mix large ACS/TACACS environments in with RADIUS and Trustsec deployments.  We ended up deploying a separate TACACS ISE simply because the NAD and Admin structure was too different.  

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube