Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1519
Views
0
Helpful
6
Replies

Can deploy Cisco ISE 2 Cluster for VPN GW

Go to solution
jewfcb001
Level 4
Level 4

‎03-16-2022 03:10 AM

Hi All , 

I have plan to deploy Cisco ISE 2 Cluster and 2 Cluster  but configuration and internal user  it's same .

In Case Cisco ISE Clustuer-1 or Cluster 2  Fail All  , I'm not sure I facing issue about session struck or accounting stuck or not ? The customer need to separate Group of Cisco ISE  

ise-3.JPG

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jewfcb001

‎03-16-2022 03:55 AM

@jewfcb001 1 tunnel group pointing to 2 separate ISE clusters, that's not really a great idea in my opinion. You'd have to configure both ISE clusters independantly and there are chances of misconfiguration on one ISE cluster but not the other.

 

You could do what you suggested, but configuring the VPN gateway to authentication to 1 ISE cluster with 2 (or more) PSN nodes should be sufficient.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎03-16-2022 03:35 AM

@jewfcb001 I'm not really sure of the question here, but you can configure the VPN GW (either ASA or FTD) to use ISE cluster for aaa. If you have different ASA/FTD connection profiles/tunnels groups you could point these to different ISE clusters.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎03-16-2022 03:50 AM

@Rob Ingram 

 

Hi Rob . I mean  if I have tunnel-group and point to 4 ISE  (ISE 1.1.1.1 and 1.1.1.2 same cluster) and (ISE 2.1.1.1 and 2.1.1.2 same cluster) Incase ISE 1.1.1.1 and ISE 1.1.1.2 down . Can VPN gateway authentication to ise cluster-2 and do you have concern with my scenario ? 

example

aaa-server ISE protocol radius
aaa-server ISE (inside) host 1.1.1.1
aaa-server ISE (inside) host 1.1.1.2

aaa-server ISE (inside) host 2.1.1.1

aaa-server ISE (inside) host 2.1.1.2

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jewfcb001

‎03-16-2022 03:55 AM

@jewfcb001 1 tunnel group pointing to 2 separate ISE clusters, that's not really a great idea in my opinion. You'd have to configure both ISE clusters independantly and there are chances of misconfiguration on one ISE cluster but not the other.

 

You could do what you suggested, but configuring the VPN gateway to authentication to 1 ISE cluster with 2 (or more) PSN nodes should be sufficient.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎03-16-2022 04:03 AM

@Rob Ingram 

Thank you for your information . I accept with you recommend but I get requirement from the customer . I don't understand this scenario from the customer. About misconfiguration on one ISE cluster i try to tell the customer . He understand for this . 

But if this scenario I can do but have any concern i will let him know.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-16-2022 03:48 AM

as mentioned other post we are not clear what is the issue or what you trying to achive here :

 

look some deployment guide can help you :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎03-16-2022 03:53 AM

@balaji.bandi 

Hi balaji , 

 

as i explain Rob above . Can VPN gateway authentication to ise cluster-2  incase ise 1.1.1.1 and ise 1.1.1.2 down. ?

example

aaa-server ISE protocol radius
aaa-server ISE (inside) host 1.1.1.1
aaa-server ISE (inside) host 1.1.1.2

aaa-server ISE (inside) host 2.1.1.1

aaa-server ISE (inside) host 2.1.1.2

0 Helpful
Top