11-29-2023 09:02 AM
Hi All,
Looking for some design guides for an ISE deployment using Azure across multiple counties.
Any assistance would be appreciated.
Cheers,
Solved! Go to Solution.
11-29-2023 09:45 AM
11-29-2023 01:55 PM
If you're considering deploying ISE VMs in Azure, you should also be aware of this issue.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they
I've been that MS is now refusing to enable this feature for customers, which will break EAP-TLS due to the normal fragmentation that happens with the large payload required for certificates. MS suggests dropping the MTU to 1300 on the network devices as a workaround, but that may not be suitable for all environments (like Meraki or other cloud-managed devices).
I would highly recommend testing your use cases extensively before moving to Azure. If you have a hybrid cloud environment, you might also consider deploying ISE in AWS as they do not have this issue.
11-29-2023 09:45 AM
11-29-2023 01:55 PM
If you're considering deploying ISE VMs in Azure, you should also be aware of this issue.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they
I've been that MS is now refusing to enable this feature for customers, which will break EAP-TLS due to the normal fragmentation that happens with the large payload required for certificates. MS suggests dropping the MTU to 1300 on the network devices as a workaround, but that may not be suitable for all environments (like Meraki or other cloud-managed devices).
I would highly recommend testing your use cases extensively before moving to Azure. If you have a hybrid cloud environment, you might also consider deploying ISE in AWS as they do not have this issue.
12-08-2023 01:06 AM
Hi Greg,
Following on from your reply regarding EAP-TLS challenges using Azure, which BTW was very helpful.
I have 1 forest with 14 child domains spread across the globe, what would be the correct approach for ISE in this instance? Hybrid with PAN, SPAN and M&T's in Azure having on-prem PSN VM/appliances depending on client count per child domain?
Would this alter if we turned to Meraki cloud as opposed to traditional NAD placements? Would this approach just be ISE cloud based with all personas in the Azure?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide