cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
6
Replies

Can deploy Cisco ISE 2 Cluster for VPN GW

jewfcb001
Participant
Participant

Hi All , 

I have plan to deploy Cisco ISE 2 Cluster and 2 Cluster  but configuration and internal user  it's same .

In Case Cisco ISE Clustuer-1 or Cluster 2  Fail All  , I'm not sure I facing issue about session struck or accounting stuck or not ? The customer need to separate Group of Cisco ISE  

ise-3.JPG

1 ACCEPTED SOLUTION

Accepted Solutions

@jewfcb001 1 tunnel group pointing to 2 separate ISE clusters, that's not really a great idea in my opinion. You'd have to configure both ISE clusters independantly and there are chances of misconfiguration on one ISE cluster but not the other.

 

You could do what you suggested, but configuring the VPN gateway to authentication to 1 ISE cluster with 2 (or more) PSN nodes should be sufficient.

View solution in original post

6 REPLIES 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@jewfcb001 I'm not really sure of the question here, but you can configure the VPN GW (either ASA or FTD) to use ISE cluster for aaa. If you have different ASA/FTD connection profiles/tunnels groups you could point these to different ISE clusters.

@Rob Ingram 

 

Hi Rob . I mean  if I have tunnel-group and point to 4 ISE  (ISE 1.1.1.1 and 1.1.1.2 same cluster) and (ISE 2.1.1.1 and 2.1.1.2 same cluster) Incase ISE 1.1.1.1 and ISE 1.1.1.2 down . Can VPN gateway authentication to ise cluster-2 and do you have concern with my scenario ? 

example

aaa-server ISE protocol radius
aaa-server ISE (inside) host 1.1.1.1
aaa-server ISE (inside) host 1.1.1.2

aaa-server ISE (inside) host 2.1.1.1

aaa-server ISE (inside) host 2.1.1.2

@jewfcb001 1 tunnel group pointing to 2 separate ISE clusters, that's not really a great idea in my opinion. You'd have to configure both ISE clusters independantly and there are chances of misconfiguration on one ISE cluster but not the other.

 

You could do what you suggested, but configuring the VPN gateway to authentication to 1 ISE cluster with 2 (or more) PSN nodes should be sufficient.

@Rob Ingram 

Thank you for your information . I accept with you recommend but I get requirement from the customer . I don't understand this scenario from the customer. About misconfiguration on one ISE cluster i try to tell the customer . He understand for this . 

But if this scenario I can do but have any concern i will let him know.

balaji.bandi
VIP Guru VIP Guru
VIP Guru

as mentioned other post we are not clear what is the issue or what you trying to achive here :

 

look some deployment guide can help you :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi 

Hi balaji , 

 

as i explain Rob above . Can VPN gateway authentication to ise cluster-2  incase ise 1.1.1.1 and ise 1.1.1.2 down. ?

example

aaa-server ISE protocol radius
aaa-server ISE (inside) host 1.1.1.1
aaa-server ISE (inside) host 1.1.1.2

aaa-server ISE (inside) host 2.1.1.1

aaa-server ISE (inside) host 2.1.1.2

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: