Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
5
Helpful
2
Replies

Cisco ISE - Branch extension

Go to solution
Suresh Varghese
Level 1
Level 1

‎02-10-2020 10:02 PM

Hello.,

with regards to Cisco ISE, if in setup and configure the same in my HQ office, will i be able to extend and enforce all policies and profiling details, configured on my HQ appliance, to my branch offices who are connected to HQ over IPSec S2S VPN.

 

FYI...i have not yet configured ISE on my network, its a new setup.

 

My BOQ consists of ISE VM small, Base+Apex+Plus+AnyConnect Term Licenses.

Appreciate your feedback in advance.

many thanks

SV

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-10-2020 10:45 PM

Yes, ISE leverages the radius standard to provide authentication services such as 802.1x on network devices. The question is less about if ISE can do it (it can), but if the network devices support authentication. If you have enterprise switch/wlc models at the remote branch they would proxy the client authentication. When planning for a multi site deployment, you need to keep the round trip time in mind, any radius authentication time out value need to account for the round trip. The timeout is often 5-10 seconds to avoid issues with the rtt and authentication external directory latency.

One piece though that you should keep in mind, if you only have a single VM, you have no HA in your authentication services. It will still work, but patching, upgrading, or a node failure would cause an authentication outage.

So no problem for ISE itself to be leveraged in this scenario, it's very common.

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-10-2020 10:45 PM

Yes, ISE leverages the radius standard to provide authentication services such as 802.1x on network devices. The question is less about if ISE can do it (it can), but if the network devices support authentication. If you have enterprise switch/wlc models at the remote branch they would proxy the client authentication. When planning for a multi site deployment, you need to keep the round trip time in mind, any radius authentication time out value need to account for the round trip. The timeout is often 5-10 seconds to avoid issues with the rtt and authentication external directory latency.

One piece though that you should keep in mind, if you only have a single VM, you have no HA in your authentication services. It will still work, but patching, upgrading, or a node failure would cause an authentication outage.

So no problem for ISE itself to be leveraged in this scenario, it's very common.

Go to solution
Suresh Varghese
Level 1
Level 1
In response to Damien Miller

‎02-10-2020 10:57 PM

Hello Damien

 

Thank you for the response.

 

Basically all services are provided to branch offices from HQ

Branch office only consist of endpoint connected to access switches and from access switch to ASA - IPsec s2s - to HQ

branch offices also have access points in them but are configured on H-REAP mode (FlexConnect)  registered to HQ-WLC

And i have HA for the ISE VM appliances, made sure i had that.

That was FYI just so that you are aware of the entire setup

 

So if i am right, my branch office do not need a separate appliance or any specific licensing to achieve both posturing and profiling policies configured on the the HQ ISE appliance.

 

best regards

SV

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents