cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
0
Helpful
1
Replies

ISE 2.0 HA Authentaication and authoziration

Hi ,

I have 2 ISE nodes, 1 Node is primary and other one is secondary. As per my understanding only the primary node should authenticate and authorize the endpoint.

But in my case, i see both node are authenticating  and authorizing the endpoint.

kindly assist on how it works or on my understanding if right.

Any help would be Appreciated.

Thanks&Regards

Laxmi

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hello Laxmi-

I would recommend you check out and read the link below:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID29

With ISE you have "personas" that can be enabled on different ISE nodes. The "personas" are really services that can be enabled/disabled on each node based on the deployment that you have in place. 

The current ISE "personas" are:

1. Administration

2. Monitoring

3. Policy Services

4. pxGrid

The Policy Services persona is essentially what makes a node AAA RADIUS server. Having that service enabled allows the node to process authentications and authorization requests. Thus, each Policy Services node needs to be configured as AAA server in your Network Access Devices (Switches, WLCs, ASAs, etc).

When you have a distributed deployment, you dedicate nodes to individual personas. However, in a single/dual node deployment, all of the personas are running on your nodes. 

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

1 Reply 1

nspasov
Cisco Employee
Cisco Employee

Hello Laxmi-

I would recommend you check out and read the link below:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID29

With ISE you have "personas" that can be enabled on different ISE nodes. The "personas" are really services that can be enabled/disabled on each node based on the deployment that you have in place. 

The current ISE "personas" are:

1. Administration

2. Monitoring

3. Policy Services

4. pxGrid

The Policy Services persona is essentially what makes a node AAA RADIUS server. Having that service enabled allows the node to process authentications and authorization requests. Thus, each Policy Services node needs to be configured as AAA server in your Network Access Devices (Switches, WLCs, ASAs, etc).

When you have a distributed deployment, you dedicate nodes to individual personas. However, in a single/dual node deployment, all of the personas are running on your nodes. 

I hope this helps!

Thank you for rating helpful posts!