cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1006
Views
5
Helpful
2
Replies

Cisco ISE - Branch extension

Suresh Varghese
Level 1
Level 1

Hello.,

with regards to Cisco ISE, if in setup and configure the same in my HQ office, will i be able to extend and enforce all policies and profiling details, configured on my HQ appliance, to my branch offices who are connected to HQ over IPSec S2S VPN.

 

FYI...i have not yet configured ISE on my network, its a new setup.

 

My BOQ consists of ISE VM small, Base+Apex+Plus+AnyConnect Term Licenses.

Appreciate your feedback in advance.

many thanks

SV

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
Yes, ISE leverages the radius standard to provide authentication services such as 802.1x on network devices. The question is less about if ISE can do it (it can), but if the network devices support authentication. If you have enterprise switch/wlc models at the remote branch they would proxy the client authentication. When planning for a multi site deployment, you need to keep the round trip time in mind, any radius authentication time out value need to account for the round trip. The timeout is often 5-10 seconds to avoid issues with the rtt and authentication external directory latency.

One piece though that you should keep in mind, if you only have a single VM, you have no HA in your authentication services. It will still work, but patching, upgrading, or a node failure would cause an authentication outage.

So no problem for ISE itself to be leveraged in this scenario, it's very common.

View solution in original post

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni
Yes, ISE leverages the radius standard to provide authentication services such as 802.1x on network devices. The question is less about if ISE can do it (it can), but if the network devices support authentication. If you have enterprise switch/wlc models at the remote branch they would proxy the client authentication. When planning for a multi site deployment, you need to keep the round trip time in mind, any radius authentication time out value need to account for the round trip. The timeout is often 5-10 seconds to avoid issues with the rtt and authentication external directory latency.

One piece though that you should keep in mind, if you only have a single VM, you have no HA in your authentication services. It will still work, but patching, upgrading, or a node failure would cause an authentication outage.

So no problem for ISE itself to be leveraged in this scenario, it's very common.

Hello Damien

 

Thank you for the response.

 

Basically all services are provided to branch offices from HQ

Branch office only consist of endpoint connected to access switches and from access switch to ASA - IPsec s2s - to HQ

branch offices also have access points in them but are configured on H-REAP mode (FlexConnect)  registered to HQ-WLC

And i have HA for the ISE VM appliances, made sure i had that.

That was FYI just so that you are aware of the entire setup

 

So if i am right, my branch office do not need a separate appliance or any specific licensing to achieve both posturing and profiling policies configured on the the HQ ISE appliance.

 

best regards

SV