Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
4
Helpful
5
Replies

Create trusty relationship between 2 different Cisc ISE deployments

Go to solution
JPavonM
VIP
VIP

‎02-29-2024 02:25 AM

Hi experts,

I'm new into ISE and we are going to deploy a worlwide solution for TACACS+ and authZ (ISE#2), but we already have a regional deployment in the US with 4 PSNs (ISE#1).

Due to some delay issues in some countries, I'm, thinking on deploying PSNs in some strategic countries so to create ISE#2 deployment by using 6 PSNs. Question is, is there some way ISE#1 forward requests to ISE#2 and reverse?

Regards.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎02-29-2024 06:54 AM

ISE has the ability to do RADIUS Proxy and TACACS+ Proxy to other servers - even if it is another ISE deployment.  But I highly encourage you to stick with a single worldwide ISE deployment to simplify your administrative life unless your network scale requires more ISE capacity (does not sound like it) or your organization is siloed for reasons above Layer 7.

thomas_1-1709218199117.png

 

 

View solution in original post

5 Replies 5

Go to solution
Pulkit Mittal
Spotlight
Spotlight

‎02-29-2024 03:44 AM

You can have a load balancer in front but make sure that auth and accounting for the same session are going to the same PSN.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-29-2024 06:36 AM

Separate ISE deployments do not communicate with each other (except in some very rare corner cases that would not apply to the situation you mention).

I have a customer with a single ISE deployment spanning US, Asia (India and Indonesia), Africa and Europe - it works fine.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎02-29-2024 06:54 AM

ISE has the ability to do RADIUS Proxy and TACACS+ Proxy to other servers - even if it is another ISE deployment.  But I highly encourage you to stick with a single worldwide ISE deployment to simplify your administrative life unless your network scale requires more ISE capacity (does not sound like it) or your organization is siloed for reasons above Layer 7.

thomas_1-1709218199117.png

 

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to thomas

‎02-29-2024 07:06 AM

The proxy option mentioned by @thomas was the corner case I was thinking of. Not generally recommended for your use case.

A single deployment is highly preferable and recommended by 99/100 ISE experts. The 1 who does not recommend it is probably being paid by the hour to setup separate deployments.

Go to solution
peter.matuska1
Level 1
Level 1
In response to Marvin Rhoads

‎08-09-2024 08:01 AM - edited ‎08-09-2024 09:03 AM

I am not paid by hour and honestly thinking about building parallel ISE deployment for redundancy. The reason for that are bugs present in the ISE itself. It is not normal that after uploading the anyconnect compliance image to ise the whole deployment is stuck for almost an hour. So my question is how to sync the MAC addresses with API

EDIT

how about using ansible to do automatic configuration restore e.g. every night and do the AD join after it is done. It should work, right?

thank you

0 Helpful
Customers Also Viewed These Support Documents