I was asked about the options to expand a Basic 2-Node Distributed ISE Deployment and if simply adding a tertiary (3rd) node to the deployment was an officially supported design. So from an "official" deployment perspective they would be moving from a "Basic 2-Node Distributed Deployment" to a "Hybrid-Distributed Deployment".
In the design docs, scaling guide, presentations (BRKSEC-3432), etc ... all show dedicated PSNs in a Hybrid Deployment. So the question is, are dedicated PSNs required beyond a basic 2-node solution or can the PSN persona continue to be supported on the 2 PAN/MNT nodes when adding 1 or more additional PSNs? This is strictly looking at it from a supported deployment model perspective and NOT from a max session perspective.
Existing 2-node deployment:
Is this officially supported? (adding 1 additional PSN and PSN persona continue to run on PAN/MNT nodes):
Or, does the PSN persona have to be broken out for every node once moving beyond a basic 2-node solution to be an officially supported deployment?:
@Colby LeMaire comments are all true. I would add though, that I have personal experience with customers who have "violated" the sacred tenets of ISE deployment design, and they still enjoyed normal TAC support. In my 20 years of dealing with Cisco TAC I have yet to come across an instance where Cisco have refused to support me/customer, even if the customer was not conforming to the "tested approach". It's more common to receive the classic "you need to upgrade to version x" ... as a step in the right direction.