Solved: Re: Cisco ISE - Deployment question

hervej · ‎09-07-2022

Hello,

I have a small question about the deployment of Cisco ISE.

Actually we are running a cluster of 2 members, each hosting PAN-MnT-PSN.

We want to extend the ISE functions to our "industrial network" separated by a DMZ.

To limit the trafic between the 2 zones, I would like to add one (or 2 for redundancy) server running only PSN server.

Is this kind of deployment allowed and supported by TAC ? If yes do I need a full ISE license or there are licenses to only run specific services of ISE ?

Thanks for your help.

Herve

ahollifield · ‎09-07-2022

You will need to move to the Medium deployment as mentioned here: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Concept.dita_67b428f0-2240-4383-bd49-5eb7a7b98a35

You will need the following to remain in a supported Topology:

PAN + MnT
PAN + MnT
PSN
PSN
DMZ
- PSN
- PSN

View solution in original post

rschlayer · ‎09-07-2022

For any additional PSN you deploy (if virtual) you need to get a VM License (either VMS or VMC - see ordering guide).
It it not supported to go with 2x PSN, and 2x PSN,PAN,MNT. You need a medium deployment with separate PSN nodes from your PAN/MNT nodes.
See here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

BG
Rick

View solution in original post

ahollifield · ‎09-07-2022

You will need to move to the Medium deployment as mentioned here: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Concept.dita_67b428f0-2240-4383-bd49-5eb7a7b98a35

You will need the following to remain in a supported Topology:

PAN + MnT
PAN + MnT
PSN
PSN
DMZ
- PSN
- PSN

rschlayer · ‎09-07-2022

For any additional PSN you deploy (if virtual) you need to get a VM License (either VMS or VMC - see ordering guide).
It it not supported to go with 2x PSN, and 2x PSN,PAN,MNT. You need a medium deployment with separate PSN nodes from your PAN/MNT nodes.
See here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

BG
Rick

hervej · ‎09-07-2022

Other question, does ISE support this:

OT network DMZ OT/IT IT Network

LDAP 2x PSN 2x PAN/MNT
2x PSN
LDAP

or

OT network DMZ OT/IT IT Network

LDAP 2x PAN/MNT 2x PSN
2x PSN LDAP

Does the PAN server need to contact LDAP in both zones (OT/IT) or just the PSE need to contact it ?

ahollifield · ‎09-07-2022

Assuming LDAP means AD? Then its best practice to have all ISE nodes joined to the domain so you can do RBAC login to ISE using AD. If LDAP will strictly be for network authentication only (not AD or used for ISE admin login) then only the PSNs will need to talk to the LDAP server.

hervej · ‎09-09-2022

Indeed I mean AD and it's a different domain in IT and OT.

What would be the best practice in this case as we are using RBAC in the IT side ?

PAN/MnT server installed in DMZ (able to reach AD at both side), PSN in OT and IT zone reaching their "local" AD ?

ahollifield · ‎09-09-2022

You should integrate all ISE nodes with both ADs. A properly configured AD sites and services would allow the ISE nodes to contact their local domain controllers.