Solved: Cisco ISE Small Deployment High Availability with a PSN

joandwifi · ‎07-19-2024

Hi, I need help with an understanding.

I currently have an implementation with two SNS3615 ISEs in the Data Center.
ISE01 => Admin, Monitoring, Policy Service (Persona) | PRI(A), SEC(M) (Roles) | Session, Profiler (Services)

ISE02 => Admin, Monitoring, Policy Service (Persona) | SEC(A), PRI(M) (Roles) | Session, Profiler (Services)

And for high availability, the customer is wanting to add a new ISE SNS3715 at a Branch (if the Data Center is unavailable, traffic or everything will work on the branch's ISE).

From a configuration point of view, it would go in as PSN, however, I'm wondering what changes in the current configuration.

It wouldn't just be adding this PSN to the cluster, but there are details that I can't remember:

1 - Request management IP and FQDN
2 - Request a new certificate with the fqdn of this new ISE

In this implementation, I know that I have to configure a PAN Failover, however, I am studying and confusing the terms.

What would adding just 1 element (SNS3715) look like, is there any risk in the settings or steps that I'm not seeing?

Please, could you guide me or remind me of the criticality or steps of this addition?

Att

ammahend · ‎07-19-2024

Yes the new 3715 will only have PSN persona, not Admin and MNT, is a distributed deployment you only need 2 Admin and 2 MNT which you already have.

Main purpose of node group is If the group detects that a member has failed, it attempts to reset and recover all URL-redirected sessions on the failed node, its useful for anything that uses redirect like posture services, guest services, and MDM etc, so I would recommend use the third node to node group if you have existing node group.

Lab is always a good idea, go for it.

-hope this helps-

View solution in original post

ammahend · ‎07-19-2024

Yep, request management IP, FQDN, DNS records.

37xx supports Cisco ISE 3.1 P6 and later versions only, so keep that in mind. in case you need to upgrade existing setup.

3615 is end of life since Feb 2023, so at some point you will run into an issue where the latest firmware will not be supported on both, so budget for that.

other than that, you will set up the new SNS3715 as individual ISE, get the certs right and then register it on existing deployment as PSN.

then you will configure your NAD to use this PSN for fail-over etc, make sure latency is under 200ms.

-hope this helps-

joandwifi · ‎07-19-2024

Hello @ammahend

Perfect!
I appreciate the quick response, but if I configure it as a PSN, my NAD is a WLC9800, is there any rule in ISE for this? Is there any example or documentation that is easy to read? If so, can you share?

ammahend · ‎07-19-2024

if you are using 802.1X then your WLC9800 is already configure to use existing ISE node, you will simply go to Configuration>>Security>>AAA, add a new server with 3715 IP and add this server into the existing server group.

more here

-hope this helps-

joandwifi · ‎07-19-2024

Hello @ammahend

I hope you are well.

Perfect! On the WLC side it was clear, but I still have doubts regarding ISE03 (Branch).

The ISE03 will enter as a PSN, in this case, my configuration will change in some way, for example, when there is an unavailability in the Data Center, how will my Branch PSN become the element that will receive all network authentications?

Regarding Topology, would you change anything?

Without PSN:
ISE01 => Admin, Monitoring, Policy Service (Persona) | PRI(A), SEC(M) (Roles) | Session, Profiler (Services)

ISE02 => Admin, Monitoring, Policy Service (Persona) | SEC(A), PRI(M) (Roles) | Session, Profiler (Services)

With PSN:

ISE01 => Admin, Monitoring, Policy Service (Persona) | PRI(A), PRI(M) (Roles) | Session, Profiler (Services)

ISE02 => Admin, Monitoring | SEC(A), SEC(M) (Roles) | NONE (Do I disable the Policy Service Node)?

ISE03 => What would it look like?

I know it seems basic, but it's still not clear.

ammahend · ‎07-19-2024

No you don't disable PSN persona on ISE02, 9800 will use ISE01 as primary, ISE02 as secondary and ISE03 as tertiary. I think limit is 17, so technically you can add upto 17 AAA servers in a single server group, you just have 3.

optionally if you want to load balance you can use radius load balancing feature in 9800, but before you enable it, go through the restrictions and understand impact on your environment and then enable it.

-hope this helps-

joandwifi · ‎07-19-2024

OK! Sorry for my ignorance, in the current architecture there will be no changes, but in the new ISE, it will only enter with the PSN configuration? In other words, I won't mark admin or monitor, right?
Will I have to add it to the existing Node Group or not?

I'm thinking about doing a laboratory to understand better.

ammahend · ‎07-19-2024

Yes the new 3715 will only have PSN persona, not Admin and MNT, is a distributed deployment you only need 2 Admin and 2 MNT which you already have.

Main purpose of node group is If the group detects that a member has failed, it attempts to reset and recover all URL-redirected sessions on the failed node, its useful for anything that uses redirect like posture services, guest services, and MDM etc, so I would recommend use the third node to node group if you have existing node group.

Lab is always a good idea, go for it.

-hope this helps-

joandwifi · ‎07-22-2024

Perfect @ammahend ! I hope you have a great week!
Thank you for all the information, I am setting up a lab and I believe that by 07/24 I will have completed it.
I'm checking to see if the update is necessary, but I still have a question.

1 - I need to update the certificate by adding the PSN address, and update the production boxes with this certificate, right?
2 - Will I have to create a rule for the PSN (Branch) to host the guest portal if the Data Center (ISE01 and ISE02) becomes unavailable, or is it not necessary?

3 - It's not my area, but should the DNS/FQDN be configured as roundin robin?

In any case, I appreciate your patience and consistency in answering me so far, thank you very much!