Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
2
Helpful
4
Replies

ISE 1.4 - Inline Posture Nodes

Go to solution
janwegrz
Cisco Employee
Cisco Employee

‎03-29-2016 03:51 AM

Hello Team,

how many standalone IPN nodes can work simultaneously in ISE deployment? My customer adds one IPN and do not switch on HA settings. After that he adds a second one and it already do not have Standalone options (Deployment Modes, Filters, Radius Config, Managed Subnets etc.). Is it expected that second node added is treated by ISE as secondary? Thank you for answer.

Best regards,
Jan

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎03-29-2016 07:38 AM

IPNs are considered Network Access Devices on the network so it will support many of them

In the document it actually says At any network entry point, like VPN headend using ASA or group of ASAs in an HA cluster, a maximum of 2 Inline Posture nodes can be deployed as active-standby pair for high-availability. You can have several HA pairs in a deployment.

In this guide it also explains it a little differently

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 - Network Deployments in Cisco ISE [Cisco Identi…

Inline Posture Planning Considerations

A network or system architect is responsible for researching the issues involved in Inline Posture deployment to determine what best suits network requirements.

A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes:

  • Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.
  • What type of Inline Posture operating modes will you choose?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎03-29-2016 07:27 AM

According to the ISE 1.4 Admin Guide:

Unlike other personas, Inline Posture is unable to share a node with other services. This inability to share a

node means that Inline Posture must be a dedicated node that is registered to the PAN on your network.

Cisco ISE allows you to have up to two Inline Posture nodes configured as an active-standby pair for high availability.

A maximum of 2 IPN are allowed in an ISE deployment.  One acting as an HA standby.  I have linked the specific section below.

Cisco Identity Services Engine Administrator Guide, Release 1.4 - Set Up Inline Posture [Cisco Identity Services Engine…

Charles Moreton

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎03-29-2016 07:38 AM

IPNs are considered Network Access Devices on the network so it will support many of them

In the document it actually says At any network entry point, like VPN headend using ASA or group of ASAs in an HA cluster, a maximum of 2 Inline Posture nodes can be deployed as active-standby pair for high-availability. You can have several HA pairs in a deployment.

In this guide it also explains it a little differently

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 - Network Deployments in Cisco ISE [Cisco Identi…

Inline Posture Planning Considerations

A network or system architect is responsible for researching the issues involved in Inline Posture deployment to determine what best suits network requirements.

A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes:

  • Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.
  • What type of Inline Posture operating modes will you choose?
0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-29-2016 07:49 AM

Interesting.  Though I do not see where it states that you can have multiple IPN HA Pairs.  All I see is this statement:

Cisco ISE allows you to have two Inline Posture nodes, and they can take on primary or secondary roles for high availability.

and

Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.

It would certainly make sense to allow for multiple instances, but the documentation seems lacking.  :-/

Maybe different network segments or entry points on separate networks...

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎03-29-2016 07:57 AM

Its best to try and stay away from deployments using IPN where possible. On the VPN side the ASA support COA natively. As we increase 3rd party support there will be less of a need for the IPN.

ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco

Notice in ISE 2.0 that its no longer supported

Release Notes for Cisco Identity Services Engine, Release 2.0 - Cisco

0 Helpful
Customers Also Viewed These Support Documents