Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
2
Replies

ISE are load balancers needed ?

Patrick Colbeck
Level 3
Level 3

‎12-13-2012 10:25 PM - edited ‎03-10-2019 07:53 PM

Hi

I am looking at an ISE deplyment for 20,000 users so beyond the capabilties of a single box. It's all withing a single campus.

So I need to seperate out the functions and have sperate Admin and Monitoring nodes with mutiple PSNs then replicate the whole lot in a second DC for DR.

What I cant work out is how the traffic is distributed across the PSNs (within a single DC)  in the situation. Do I have to have a load balancer to do this ?

Thanks

Pat

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎12-14-2012 04:59 AM

It is best practices in your scenario to consider this option since this involves a single campus. You can consider mapping your network access devices to the subset of radius servers so that the load is distributed across the environment.

switch group A (supports 5k endpoints) point this group to PSN1, PSN2.... PSNn

switch group B (supports another 5k endpoints) point this group to PSN2...PSNn,PSN1....

You can use the alarms to help generate alarms as to when a certain number of authentication per second are met:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ui_reference.html

There is a document that gives some good numbers as far as authentications per second depending upon protocol and the external database, but I can not find the link right now. Once I find it I will follow up.

Thanks,

Tarik Admani

*Please rate helpful posts*

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-25-2013 02:45 AM

You can also use Load balancer following are few point that might help  you

1.A load balancer can be used to load  balance between PSN with a commont multicat address and group the PSN together  to form a node group.

2. When a node that belongs to a node group  goes down, another node in the same node group issues a CoA for pending sessions  on the failed node.

3.The heartbeat functionality in Cisco ISE  handles session failover in Policy Service ISE nodes

4.When a Policy Service ISE node that has a  few active sessions goes down, the endpoints are stuck in an intermediate state.  Even if the posture agent detects that the Policy Service ISE node that it has  been communicating with has gone down, it cannot re-initiate  authorization

5.Nodes within a node group exchange  heartbeats to detect node failures. If a node fails, one of its peers from the  node group learns about the active sessions on the failed node and issues a CoA  to disconnect those sessions. As a result, restarts and the sessions are handled  by another Policy Service ISE node that is available using RADIUS load  balancing. The session failover does not automatically move the sessions over  from a Policy Service ISE node that has gone down to one that is available, but  issues a CoA to achieve that.

6.All the nodes in a node group must be  configured on the network access device (NAD) as RADIUS clients to issue a CoA.  Typically, these nodes would also be configured as RADIUS  servers.

7.All the nodes within the same node group  should be configured on the NAD as RADIUS servers and clients, because any one  of them can issue a CoA request for the sessions that are established through  that NAD to any node in the node group. The nodes in a node group should be the  same as, or a subset of, the RADIUS servers and clients configured on the  NAD.

Please refer to the following link for more  information on this

https://supportforums.cisco.com/community/netpro/security/aaa/blog/2012/09/19/ise-and-load-balancing

0 Helpful
Customers Also Viewed These Support Documents