Re: Cisco ISE Cloud Hosted

Sw000976 · ‎05-22-2025

My environment is pretty scattered and involves many different venues around the world. Before the was attempts to use Viptela, and someone started phasing that out, then went to IPsec tunnels all over the place with palo firewalls. Sometimes the tunnels are up sometimes they are down. I need to get my devices tied into central auth. I was thinking I can host ISE in Azure and use public side ips for tacacs. Has anyone ever done this?

Arne Bier · ‎05-22-2025

I don't know if sending TACACS+ (TCP/49) over the internet is a good idea. Can't say for sure, but the next ISE version may have TACACS over TLS support. Of course, your NAD devices will need to support their end of the TLS connection. Cisco has been submitting drafts to the Standards bodies since 2022 - latest one mentioned here.

I'm concerned that your WAN sounds so unstable - why?

If you have a halfway stable WAN, you can support global sites with one pair of TACACS servers in one main location. WAN latency varies of course. The TACACS+ protocol RTT of a few hundred ms is not a problem. But if those connections are not stable (as you mentioned) then TACACS will be a horrible intermittent experience.

Sw000976 · ‎05-23-2025

These are other orgs sites that we just have POS systems in, so we use their network most times and their isp transport so its a little out of our hands with wan transports.