02-29-2024 02:25 AM
Hi experts,
I'm new into ISE and we are going to deploy a worlwide solution for TACACS+ and authZ (ISE#2), but we already have a regional deployment in the US with 4 PSNs (ISE#1).
Due to some delay issues in some countries, I'm, thinking on deploying PSNs in some strategic countries so to create ISE#2 deployment by using 6 PSNs. Question is, is there some way ISE#1 forward requests to ISE#2 and reverse?
Regards.
Solved! Go to Solution.
02-29-2024 06:54 AM
ISE has the ability to do RADIUS Proxy and TACACS+ Proxy to other servers - even if it is another ISE deployment. But I highly encourage you to stick with a single worldwide ISE deployment to simplify your administrative life unless your network scale requires more ISE capacity (does not sound like it) or your organization is siloed for reasons above Layer 7.
02-29-2024 03:44 AM
You can have a load balancer in front but make sure that auth and accounting for the same session are going to the same PSN.
02-29-2024 06:36 AM
Separate ISE deployments do not communicate with each other (except in some very rare corner cases that would not apply to the situation you mention).
I have a customer with a single ISE deployment spanning US, Asia (India and Indonesia), Africa and Europe - it works fine.
02-29-2024 06:54 AM
ISE has the ability to do RADIUS Proxy and TACACS+ Proxy to other servers - even if it is another ISE deployment. But I highly encourage you to stick with a single worldwide ISE deployment to simplify your administrative life unless your network scale requires more ISE capacity (does not sound like it) or your organization is siloed for reasons above Layer 7.
02-29-2024 07:06 AM
The proxy option mentioned by @thomas was the corner case I was thinking of. Not generally recommended for your use case.
A single deployment is highly preferable and recommended by 99/100 ISE experts. The 1 who does not recommend it is probably being paid by the hour to setup separate deployments.
08-09-2024 08:01 AM - edited 08-09-2024 09:03 AM
I am not paid by hour and honestly thinking about building parallel ISE deployment for redundancy.
EDIT
how about using ansible to do automatic configuration restore e.g. every night and do the AD join after it is done. It should work, right?
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide