cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1552
Views
0
Helpful
1
Replies
aslam.bajwa
Participant

Cisco ISE FlexConnect APs Backup Radius ISE Policy Server

Hi All , 

 

we are deploying Cisco ISE Flexconnect on Distributed ISE deployment , each remote location has ISE policy Server and main site has PAN , PSN and MnT , in case Wireless controller is down on main site , can we configure  remote ISE Policy Server as Backup Radius on remote FlexConnect APs ?

 

if yes , will this scenario will give all ISE features Like Posture , etc... 

1 ACCEPTED SOLUTION

Accepted Solutions
Arne Bier
VIP Advisor

Hi @aslam.bajwa 

 

You are mixing some terminology - the term Flexconnect is used in the context of Cisco wireless where an AP can be managed centrally, but have a flexible mix of SSID data traversing the CAPWAP tunnel back to controller, and/or data terminating locally on the AP switch port.

If each site has an ISE PSN then you have a great solution for local RADIUS redundancy. But you say, if the local WLC in the central location is down, then the APs in FlexConnect will have an issue. In a production environment you should always have redundancy for your WLAN as well - in that case, either the central WLC is in SSO mode (HA) or you have another WLC that has identical configuration, and the APs will join that one. 

As far as RADIUS redundancy is concerned, whatever ISE node you have available, you can enable services on them. e.g. if you have an ISE node that only does PAN/MnT (and no Services enabled) then you cannot use that node to process RAIDIUS. If you wanted to use that node, then you simply enable Service and configure your WLC (RADIUS client) to use that IP address. But be advised that Cisco has a reason for separating out PAN, MnT, Services etc - it's for scalability. But in reality, in most SMB environments you can run everything in one server. I have seen large organisations run an entire country's retail on two SNS-3595 servers - it works just fine. But it depends on the load you're putting on the servers.

But more importantly, design it in such a way that you can take one ISE node out of service, and your WLC's chose another PSN to process the requests. That allows you to schedule patching/maintenance without user impact.

 

View solution in original post

1 REPLY 1
Arne Bier
VIP Advisor

Hi @aslam.bajwa 

 

You are mixing some terminology - the term Flexconnect is used in the context of Cisco wireless where an AP can be managed centrally, but have a flexible mix of SSID data traversing the CAPWAP tunnel back to controller, and/or data terminating locally on the AP switch port.

If each site has an ISE PSN then you have a great solution for local RADIUS redundancy. But you say, if the local WLC in the central location is down, then the APs in FlexConnect will have an issue. In a production environment you should always have redundancy for your WLAN as well - in that case, either the central WLC is in SSO mode (HA) or you have another WLC that has identical configuration, and the APs will join that one. 

As far as RADIUS redundancy is concerned, whatever ISE node you have available, you can enable services on them. e.g. if you have an ISE node that only does PAN/MnT (and no Services enabled) then you cannot use that node to process RAIDIUS. If you wanted to use that node, then you simply enable Service and configure your WLC (RADIUS client) to use that IP address. But be advised that Cisco has a reason for separating out PAN, MnT, Services etc - it's for scalability. But in reality, in most SMB environments you can run everything in one server. I have seen large organisations run an entire country's retail on two SNS-3595 servers - it works just fine. But it depends on the load you're putting on the servers.

But more importantly, design it in such a way that you can take one ISE node out of service, and your WLC's chose another PSN to process the requests. That allows you to schedule patching/maintenance without user impact.

 

View solution in original post

Content for Community-Ad