cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1869
Views
3
Helpful
8
Replies

Cisco DNAC, ISE, and WLC Deployment without SDA

techno.it
Level 1
Level 1

We're about to deploy Cisco DNAC, ISE, and WLC across four sites, and we would love to tap into the collective knowledge of this amazing community to gather suggestions and tips for enhancing our architecture.

Here's a brief overview of our deployment plan:

Scope: Total 4 sites (1 HQ and 3 remote)
DNAC Cluster: We will have a DNAC cluster with three nodes located at our headquarters, ensuring high availability and redundancy.
WLCs and PSNs: Each site will have two Wireless LAN Controllers (WLCs) and two Policy Services Nodes (PSNs) to handle wireless connectivity and authentication.
ISE PAN and MNT: At our headquarters, we plan to host ISE Primary Administration Node (PAN) and Monitoring (MNT) nodes for centralized management and monitoring.
Integration with DNAC: We're integrating the PAN node with DNAC using PxGrid to leverage the capabilities of both platforms.

Site Details:

Each site consists of Catalyst 50+ switches, 300+ Catalyst Wi-Fi 6 WAPs, and 2000+ users.
HQ and Remote Sites are connected through the S2S VPN.

We are working with a partner who will assist us with the design and deployment, but I firmly believe in the power of community knowledge.

I kindly request your suggestions, tips, and best practices

8 Replies 8

@techno.it sounds like a good project, overall the deployment looks fine. I'd ensure you deploy using the cisco recommended major version and patch for ISE, WLC, switches etc.

Even though it's not a SDA deployment you can still use TrustSec SGT, possibly consider deploying strategically, perhaps at the access layer to prevent lateral movement. Depending on your firewalls, consider integrating with them using pxgrid to exchange IP/user/SGT (if using) bindings.

Consider using EAP Chaining with TEAP on supported devices, EAP-TLS on devices that don't. For headless devices (printers, CCTV cameras, IP Phones etc) attempt to authenticate these devices using 802.1X where possible, MAB + profiling if you must.

techno.it
Level 1
Level 1

Thank you @Rob Ingram for valuable inputs. Require clarification on certain aspects.

  • Is it possible to utilize PAN or MNT nodes as an alternative because we don't have additional nodes for PxGrid.
  • Latency is 20-30ms between HQ and Remote sites as they are within same geographical country.
  • What is the most optimal and recommended method for authenticating endpoints on ISE for both wired and wireless connections, encompassing various types of devices such as Domain Joined workstations, IoT devices (e.g., printers, CCTV, access control, HVAC), and Guest Wireless?
  • We have parent and child active domain architecture, how would the integration of ISE fit into this design, particularly when PSN is deployed at each site?
  • What approach is advised for gradually implementing authentication on the network to minimize any potential disruptions to business operations?
  • We intend to implement TrustSec. What would be the most suitable and effective approach for accomplishing this objective? Furthermore, which specific use cases should be considered to derive the greatest benefits from TrustSec (SGT) implementation?
  • I wonder how firewalls (Cisco, PA & Sophos UTM/XG) it can be integrated with TrustSec SGTs and what advantages this integration would offer.

 

 

@techno.it 

pxGrid could be enabled on any node - https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Maximum latenecy is 300ms

No reason why domain joined workstations can be authenticated using TEAP (assuming W10 build 2004 or newer). IoT devices are slightly harder, it depends what is supported. Most decent printer manufacturer will support 802.1X to some extent, Cisco IP Phones and APs certainly support 802.1X, you can use a builtin MIC (Manufacturer Integrated Certificate) or issue your own. CCTV, HVAC would be harder and need investigation. If they do not support 802.1X, use MAB and group the MAC addresses of those types of devices and permit access.

Rollout in monitor mode, so if authentications fail the devices still get access.

https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424

If the Firewalls are integrated with ISE, at a minimum you get a username associated in the firewall logs. You can go further and permit access based on AD group membership or if using TrustSec SGTs then permit or deny access based on the SGT.

 

techno.it
Level 1
Level 1

Hi @Rob Ingram 

  • I believe if the PAN and MNT are separate nodes, then PxGrid must also be deployed on separate nodes, with each node dedicated to a specific function.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#:~:text=PAN%20(2)%2C%20MnT%20(2)%2C%20pxGrid%2C%20and%20PSNs%20on%20dedicated%20nodes.

  • Is there a comptability matrix which firewalls vendor can integrate with ISE for PxGrid Trustsec?
  • Machine + User is preferred or just Machine authentication with EAP-TLS or TEAP or PEAP ceriticates?

What are scaling considerings?

pxGrid v2 (WebSocket) does not use much CPU as it is simply forwarding the published messages to subscribers.  On the other hand, pxGrid v1 (XMPP) uses a bit more CPU in XML processing. Every subscriber adds XML processing. 

The bottom line is that if the subscribers are mainly pxGrid v2, then it can run on any node.

https://community.cisco.com/t5/security-knowledge-base/ise-pxgrid-general-information-amp-faq/ta-p/4174594#toc-hId--1583181075

This document describes how to integrate Cisco Identity Services Engine (ISE) ecosystem with some partners. Always consult with the partner for the latest documentation about their products.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-ecosystem-partner-integration-details/ta-p/3645572

https://community.cisco.com/t5/security-knowledge-base/ise-security-ecosystem-integration-guides/ta-p/4782363

EAP Chaining of User + Machine authentications using TEAP with TLS (preferrably) or MSCHAPv2.

techno.it
Level 1
Level 1

If we're not deploying SDA. How would the host onboarding work?

thomas
Cisco Employee
Cisco Employee

Consider watching/reading the existing Cisco Live sessions on ISE and SDA @ https://cs.co/ise-training