01-08-2020 06:23 AM
Hi guys,
I'm planning to migrate my ACS deplyoment to ISE, but I have some questions regarding the deployment model I should use.
My topology is the following:
1 - central site
3 - customer sites
The central site acts as the primary ACS, while all other sites are secondary.
In a case there's an issue with the primary ACS or one of the sites is disconnected, I promote the local server at the customers site to be the primary and vice versa.
I understand that in ISE I can't use this topology anymore and I'm wondering what will be the best solution for me.
We only provide TACACS+ for network devices (switches/firewalls) and I still want to manage everything from a central location, i.e the central site. On the other hand, there is an obligatory requirement from the client that if for some reason one of the client sites is disconnected from the central site, or the central sites server will be faulty, the customer site should be still able to provide local management for its site only.
I would like to hear out what you have to say and recommend.
Thank you.
Solved! Go to Solution.
01-08-2020 10:51 AM
Yes, it can be done but you would have no backup node in case of failure of your primary. You would need to ensure that you have good backups so you can restore if you had to rebuild at a particular site. Also, yes you can have your network devices failover to the central site (or another) but you would need to ensure the policies are the same to get the same/expected result.
I would personally push back on the client and explain the ISE architecture and how resilient it is. I would press them on the need to have Primary Admin abilities at every site. Talk through various failure scenarios and explain that to lose the Central site and another site at the same time would mean there are other major issues happening and the chances of having the need to adjust policies or configurations in ISE would be rare in the middle of an outage. But that's just my opinion. In my experience, customers don't fully understand what they are asking for and it is our jobs as consultants to educate them on reality.
01-08-2020 07:28 AM
With ISE, you can have only two Administration nodes, a primary and a secondary. The secondary can be promoted to take over the primary role if necessary. My recommendation would be to have your Primary Admin and Primary MnT nodes in the central site along with at least one PSN. Then pick your best alternate site to host the Secondary Admin and Secondary MnT along with a PSN. Then the remaining sites just need a PSN. Especially for TACACS+ only deployments, the Primary Admin is only needed if changes to the policy need to happen. So in the event of a failure of the Primary Admin, you only need to worry about promoting the Secondary if the Primary will be down long enough to delay necessary changes to the policy. Otherwise, just wait until the Primary Admin is back online. And if you happen to lose the central site AND your secondary Admin, then you likely have bigger issues to worry about than just ISE. With ISE, you could lose both Admin nodes and both MnT nodes, and a local PSN will continue to authenticate users based on the most recent policy before the outage.
01-08-2020 07:54 AM
Hi Colby,
Thank you for the explanation.
From what I understand, it seems that I won't have any other options than installing standalone deployments in each site and giving up on central management. The reason is that although it's a full mesh topology, there are scenarios in which sites are totally disconnected from each other and we MUST provide an option to perform administration and policy changes in each site.
What I wanted to have is 3 customers sites running a single ISE server which is PAN, PSN and MnT and they will be registered to the central server which will also provide PAN, PSN and MnT but I understand it's impossible (?).
01-08-2020 08:57 AM
That's correct. It is impossible to have more than 2 Admin/MnT nodes in any deployment. If you go with a standalone deployment at each site, you will need to have a total of two nodes at each site for redundancy.
01-08-2020 10:09 AM
Thank you for the clarification.
What if I'll want to have a standalone deployment at each site, but only with one node - is it possible?
I can configure the network devices at the central site as well so it can server as PSN in case of a failure with the site node.
Can it be done?
01-08-2020 10:51 AM
Yes, it can be done but you would have no backup node in case of failure of your primary. You would need to ensure that you have good backups so you can restore if you had to rebuild at a particular site. Also, yes you can have your network devices failover to the central site (or another) but you would need to ensure the policies are the same to get the same/expected result.
I would personally push back on the client and explain the ISE architecture and how resilient it is. I would press them on the need to have Primary Admin abilities at every site. Talk through various failure scenarios and explain that to lose the Central site and another site at the same time would mean there are other major issues happening and the chances of having the need to adjust policies or configurations in ISE would be rare in the middle of an outage. But that's just my opinion. In my experience, customers don't fully understand what they are asking for and it is our jobs as consultants to educate them on reality.
01-08-2020 10:58 AM
01-08-2020 11:31 AM
Registration is initiated from the Primary Admin. That interface only allows 2 Admin/MnT nodes. So when you try to bring a third one in, you will have to take over from another. Or the new node will just join as a PSN only.
01-08-2020 12:07 PM
01-08-2020 12:53 PM
Yes, if you break it off of the deployment then it will become a standalone with PAN/MnT/PSN roles. Caveat is that when you make those changes, the services will restart and could take up to 10-15 minutes to be available again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide