Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1094
Views
0
Helpful
9
Replies

Custom Deployment Model

Go to solution
Guy Greenshtein
Level 1
Level 1

‎01-08-2020 06:23 AM

Hi guys,

 

I'm planning to migrate my ACS deplyoment to ISE, but I have some questions regarding the deployment model I should use.

 

My topology is the following:

1 - central site

3 - customer sites

 

The central site acts as the primary ACS, while all other sites are secondary.

In a case there's an issue with the primary ACS or one of the sites is disconnected, I promote the local server at the customers site to be the primary and vice versa.

 

I understand that in ISE I can't use this topology anymore and I'm wondering what will be the best solution for me.

We only provide TACACS+ for network devices (switches/firewalls) and I still want to manage everything from a central location, i.e the central site. On the other hand, there is an obligatory requirement from the client that if for some reason one of the client sites is disconnected from the central site, or the central sites server will be faulty, the customer site should be still able to provide local management for its site only.

 

I would like to hear out what you have to say and recommend.

 

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Guy Greenshtein

‎01-08-2020 10:51 AM

Yes, it can be done but you would have no backup node in case of failure of your primary.  You would need to ensure that you have good backups so you can restore if you had to rebuild at a particular site.  Also, yes you can have your network devices failover to the central site (or another) but you would need to ensure the policies are the same to get the same/expected result.

I would personally push back on the client and explain the ISE architecture and how resilient it is.  I would press them on the need to have Primary Admin abilities at every site.  Talk through various failure scenarios and explain that to lose the Central site and another site at the same time would mean there are other major issues happening and the chances of having the need to adjust policies or configurations in ISE would be rare in the middle of an outage.  But that's just my opinion.  In my experience, customers don't fully understand what they are asking for and it is our jobs as consultants to educate them on reality.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎01-08-2020 07:28 AM

With ISE, you can have only two Administration nodes, a primary and a secondary.  The secondary can be promoted to take over the primary role if necessary.  My recommendation would be to have your Primary Admin and Primary MnT nodes in the central site along with at least one PSN.  Then pick your best alternate site to host the Secondary Admin and Secondary MnT along with a PSN.  Then the remaining sites just need a PSN.  Especially for TACACS+ only deployments, the Primary Admin is only needed if changes to the policy need to happen.  So in the event of a failure of the Primary Admin, you only need to worry about promoting the Secondary if the Primary will be down long enough to delay necessary changes to the policy.  Otherwise, just wait until the Primary Admin is back online.  And if you happen to lose the central site AND your secondary Admin, then you likely have bigger issues to worry about than just ISE.  With ISE, you could lose both Admin nodes and both MnT nodes, and a local PSN will continue to authenticate users based on the most recent policy before the outage.

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Colby LeMaire

‎01-08-2020 07:54 AM

Hi Colby,

 

Thank you for the explanation.

From what I understand, it seems that I won't have any other options than installing standalone deployments in each site and giving up on central management. The reason is that although it's a full mesh topology, there are scenarios in which sites are totally disconnected from each other and we MUST provide an option to perform administration and policy changes in each site.

What I wanted to have is 3 customers sites running a single ISE server which is PAN, PSN and MnT and they will be registered to the central server which will also provide PAN, PSN and MnT but I understand it's impossible (?).

 

 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Guy Greenshtein

‎01-08-2020 08:57 AM

That's correct.  It is impossible to have more than 2 Admin/MnT nodes in any deployment.  If you go with a standalone deployment at each site, you will need to have a total of two nodes at each site for redundancy.

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Colby LeMaire

‎01-08-2020 10:09 AM

Thank you for the clarification.

 

What if I'll want to have a standalone deployment at each site, but only with one node - is it possible?

I can configure the network devices at the central site as well so it can server as PSN in case of a failure with the site node.

Can it be done?

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Guy Greenshtein

‎01-08-2020 10:51 AM

Yes, it can be done but you would have no backup node in case of failure of your primary.  You would need to ensure that you have good backups so you can restore if you had to rebuild at a particular site.  Also, yes you can have your network devices failover to the central site (or another) but you would need to ensure the policies are the same to get the same/expected result.

I would personally push back on the client and explain the ISE architecture and how resilient it is.  I would press them on the need to have Primary Admin abilities at every site.  Talk through various failure scenarios and explain that to lose the Central site and another site at the same time would mean there are other major issues happening and the chances of having the need to adjust policies or configurations in ISE would be rare in the middle of an outage.  But that's just my opinion.  In my experience, customers don't fully understand what they are asking for and it is our jobs as consultants to educate them on reality.

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Colby LeMaire

‎01-08-2020 10:58 AM

Thanks once again Colby.
There is a reason behind the customers request but I can't really share it here.
I will go for a design in which I have a standalone node with full capabilities (PAN, PSN, MnT) and I will manually replicate the objects and the policies of all sites to the central site.
It's not perfect, but that's the closest design to what I initially planned.
By the way, what if I'll have a node with full capabilities in each site but I will still register all of them to the central site? Will it won't let me do so?
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Guy Greenshtein

‎01-08-2020 11:31 AM

Registration is initiated from the Primary Admin.  That interface only allows 2 Admin/MnT nodes.  So when you try to bring a third one in, you will have to take over from another.  Or the new node will just join as a PSN only.

0 Helpful

Go to solution
Guy Greenshtein
Level 1
Level 1
In response to Colby LeMaire

‎01-08-2020 12:07 PM

If it will join as PSN, will it be possible to make it PAN for the local site again in case if the central site won't be reachable?
If so, that's another option I can consider.
In that case, all management will be performed from a central location and in case it will go down or the site will be disconnected from the network I could manually promote the local server to act as PAN/PSN/MnT. Is that correct?
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Guy Greenshtein

‎01-08-2020 12:53 PM

Yes, if you break it off of the deployment then it will become a standalone with PAN/MnT/PSN roles.  Caveat is that when you make those changes, the services will restart and could take up to 10-15 minutes to be available again.

0 Helpful
Customers Also Viewed These Support Documents