06-05-2023 10:35 PM
We're about to deploy Cisco DNAC, ISE, and WLC across four sites, and we would love to tap into the collective knowledge of this amazing community to gather suggestions and tips for enhancing our architecture.
Here's a brief overview of our deployment plan:
Scope: Total 4 sites (1 HQ and 3 remote)
DNAC Cluster: We will have a DNAC cluster with three nodes located at our headquarters, ensuring high availability and redundancy.
WLCs and PSNs: Each site will have two Wireless LAN Controllers (WLCs) and two Policy Services Nodes (PSNs) to handle wireless connectivity and authentication.
ISE PAN and MNT: At our headquarters, we plan to host ISE Primary Administration Node (PAN) and Monitoring (MNT) nodes for centralized management and monitoring.
Integration with DNAC: We're integrating the PAN node with DNAC using PxGrid to leverage the capabilities of both platforms.
Site Details:
Each site consists of Catalyst 50+ switches, 300+ Catalyst Wi-Fi 6 WAPs, and 2000+ users.
HQ and Remote Sites are connected through the S2S VPN.
We are working with a partner who will assist us with the design and deployment, but I firmly believe in the power of community knowledge.
I kindly request your suggestions, tips, and best practices
06-06-2023 12:19 AM
@techno.it sounds like a good project, overall the deployment looks fine. I'd ensure you deploy using the cisco recommended major version and patch for ISE, WLC, switches etc.
Even though it's not a SDA deployment you can still use TrustSec SGT, possibly consider deploying strategically, perhaps at the access layer to prevent lateral movement. Depending on your firewalls, consider integrating with them using pxgrid to exchange IP/user/SGT (if using) bindings.
Consider using EAP Chaining with TEAP on supported devices, EAP-TLS on devices that don't. For headless devices (printers, CCTV cameras, IP Phones etc) attempt to authenticate these devices using 802.1X where possible, MAB + profiling if you must.
06-06-2023 06:23 AM
Thank you @Rob Ingram for valuable inputs. Require clarification on certain aspects.
06-06-2023 06:33 AM
pxGrid could be enabled on any node - https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html
Maximum latenecy is 300ms
No reason why domain joined workstations can be authenticated using TEAP (assuming W10 build 2004 or newer). IoT devices are slightly harder, it depends what is supported. Most decent printer manufacturer will support 802.1X to some extent, Cisco IP Phones and APs certainly support 802.1X, you can use a builtin MIC (Manufacturer Integrated Certificate) or issue your own. CCTV, HVAC would be harder and need investigation. If they do not support 802.1X, use MAB and group the MAC addresses of those types of devices and permit access.
Rollout in monitor mode, so if authentications fail the devices still get access.
https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424
If the Firewalls are integrated with ISE, at a minimum you get a username associated in the firewall logs. You can go further and permit access based on AD group membership or if using TrustSec SGTs then permit or deny access based on the SGT.
06-06-2023 07:46 AM
Hi @Rob Ingram
06-06-2023 08:03 AM - edited 06-06-2023 08:09 AM
pxGrid v2 (WebSocket) does not use much CPU as it is simply forwarding the published messages to subscribers. On the other hand, pxGrid v1 (XMPP) uses a bit more CPU in XML processing. Every subscriber adds XML processing.
The bottom line is that if the subscribers are mainly pxGrid v2, then it can run on any node.
This document describes how to integrate Cisco Identity Services Engine (ISE) ecosystem with some partners. Always consult with the partner for the latest documentation about their products.
EAP Chaining of User + Machine authentications using TEAP with TLS (preferrably) or MSCHAPv2.
06-09-2023 04:27 AM
If we're not deploying SDA. How would the host onboarding work?
06-20-2023 02:48 PM
Consider watching/reading the existing Cisco Live sessions on ISE and SDA @ https://cs.co/ise-training
06-23-2023 08:15 PM
@techno.it Adding to what others have said, check these out:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide