cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

74
Views
0
Helpful
1
Replies
Highlighted

ISE 2.0 HA Authentaication and authoziration

Hi ,

I have 2 ISE nodes, 1 Node is primary and other one is secondary. As per my understanding only the primary node should authenticate and authorize the endpoint.

But in my case, i see both node are authenticating  and authorizing the endpoint.

kindly assist on how it works or on my understanding if right.

Any help would be Appreciated.

Thanks&Regards

Laxmi

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hello Laxmi-

I would recommend you check out and read the link below:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID29

With ISE you have "personas" that can be enabled on different ISE nodes. The "personas" are really services that can be enabled/disabled on each node based on the deployment that you have in place. 

The current ISE "personas" are:

1. Administration

2. Monitoring

3. Policy Services

4. pxGrid

The Policy Services persona is essentially what makes a node AAA RADIUS server. Having that service enabled allows the node to process authentications and authorization requests. Thus, each Policy Services node needs to be configured as AAA server in your Network Access Devices (Switches, WLCs, ASAs, etc).

When you have a distributed deployment, you dedicate nodes to individual personas. However, in a single/dual node deployment, all of the personas are running on your nodes. 

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Hello Laxmi-

I would recommend you check out and read the link below:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID29

With ISE you have "personas" that can be enabled on different ISE nodes. The "personas" are really services that can be enabled/disabled on each node based on the deployment that you have in place. 

The current ISE "personas" are:

1. Administration

2. Monitoring

3. Policy Services

4. pxGrid

The Policy Services persona is essentially what makes a node AAA RADIUS server. Having that service enabled allows the node to process authentications and authorization requests. Thus, each Policy Services node needs to be configured as AAA server in your Network Access Devices (Switches, WLCs, ASAs, etc).

When you have a distributed deployment, you dedicate nodes to individual personas. However, in a single/dual node deployment, all of the personas are running on your nodes. 

I hope this helps!

Thank you for rating helpful posts!

View solution in original post