Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
979
Views
3
Helpful
7
Replies

Cisco ISE - Pointing traffic to specific PSN

sim_bambrah
Level 1
Level 1

‎03-03-2023 11:44 AM

Hello,

Is it possible to point traffic to a specific PSN in a deployment for specific endpoint profile.

e.g

Windows machine -> PSN01

Linux machine -> PSN02

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-03-2023 11:49 AM

You can do that, but before we go in deep of that what is the goal hear, and do you understand the failures? if you lost PSN01 or 02? Are you ok to take the bullet ? why not deploy high availability and get most of it ISE?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

sim_bambrah
Level 1
Level 1
In response to balaji.bandi

‎03-03-2023 12:13 PM

Yes I can go in details here.

So the above was just an example.  We have 2 PSNs in deployment which are bound to a specific new CA for EAP-TLS. so redundancy is there. We also have a legacy device type which is currently bind to legacy CA for EAP-TLS.  We want to move the legacy CA PKI to a third PSN node which we will add to the deployment.  Let's just say we can't have the legacy device work with new CA.  So when a legacy device is plugged in the NAD we want it redirect it to the 3rd PSN for EAP-TLS. We don't care about redundancy for the legacy devices so just one PSN which is the 3rd PSN is fine.

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to sim_bambrah

‎03-03-2023 04:11 PM

No, you won't be able to do this. The network device handing the RADIUS authentication between the endpoint and ISE is not going to be able to steer authentication like this. 


nachoGrande
Level 1
Level 1
In response to Damien Miller

‎03-04-2023 03:20 AM

using the profile editor, can you not assign a primary and secondary PSN for each node?

In the switch it self you list the RADIUS or TACACS servers in order in which you want them to be accessed. We gad 3.  One for the corp office and two for each DC. Remote users were sent to DC1 first.  Corp uses were sent to the corp server and then DC1.

This was in ISE 2.6

0 Helpful

Arne Bier
VIP
VIP

‎03-05-2023 12:22 PM

RADIUS servers don't have a concept of Primary, Secondary, Tertiary. If an ISE Node has Services enabled, then it gets programmed the same way as all other Services Nodes. It's just a donkey, waiting for a NAS to send it some Access requests. The NAS is the one that decides where the RADIUS requests goes. And the NAS is also responsible for the RADIUS HA.

I don't understand the use case.

nachoGrande
Level 1
Level 1
In response to Arne Bier

‎03-05-2023 01:06 PM

You could use a load balancer to point to differnet nodes. If you have an extra $50k

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎03-06-2023 06:35 PM

@sim_bambrah If you may find some unique characteristics (e.g. some RADIUS user-name pattern) in the RADIUS requests from the legacy clients, then you may have the 3rd PSN by itself and define it as a RADIUS server and into a RADIUS server sequence in the existing ISE deployment and use the unique characteristics as the conditions to proxy the RADIUS requests to this 3rd PSN.

If they can be wireless, then just create a separate WLAN that uses the 3rd PSN.

Customers Also Viewed These Support Documents