Solved: ISE deployment in two data centers

mgr · ‎07-12-2018

Hi,

We are looking for ISE deployment across two data centers for wired & wireless 802.1x authentication and posture assessment for corporate and VPN users.

Option 1 :

Data center 1:

1. PAN - Primary

2. MnT - Primary

3. PSN - Primary for DC1

Data center 2:

1. PAN - Secondary

2. MnT - Secondary

3. PSN - Primary for DC2

Option 2:

Data center 1:

1. PAN/MnT - Primary

2. PSN - Primary for DC1

Data center 2:

1. PAN/MnT - Secondary

2. PSN - Primary for DC2

Could you help clarify the below queries?

1. Can we put two PSNs in a device group(or we need more than two)?

2. Do we need to have dedicated "in-line posture" node for VPN users? Or can we use the PSN nodes itself?

3. In Option2, can we keep the PAN/MnT nodes across data centers or they have to be in the data centers?

Craig Hyps · ‎07-12-2018

Posture services with ISE require AnyConnect--either persistent or temporal agent. ISE can also integrate with other systems which report compliance. For example, ISE can query SCCM or Intune or MDM products regarding an endpoints compliance/posture status that do not entail the use of AnyConnect. However, if require ISE solution to perform the endpoint interrogation and remediation, then AC required.

View solution in original post

Craig Hyps · ‎07-12-2018

It is hard to say whether you need to dedicate nodes or not since no data provided on size of network. In general, PSNs that are in the same LAN campus would be part of same Node Group.

There is no longer an entity referred to as an Inline Posture node. This was removed many releases ago and the ASA can support Posture for VPN users without it. Traffic does not flow "through" PSNs. PSNs terminate RADIUS and Posture Assessment conversations with NAD and endpoint, respectively.

ISE supports L3 separation of PAN and MNT nodes (or PAN+MNT nodes) for geographic redundancy.

mgr · ‎07-12-2018

Hi Chyps,

Thanks for your response. If i require posture assessment and remediation for Corporate LAN users in addition to VPN users, should i go with Anyconnect agent? Is there any other agent available for this purpose?

Craig Hyps · ‎07-12-2018

Posture services with ISE require AnyConnect--either persistent or temporal agent. ISE can also integrate with other systems which report compliance. For example, ISE can query SCCM or Intune or MDM products regarding an endpoints compliance/posture status that do not entail the use of AnyConnect. However, if require ISE solution to perform the endpoint interrogation and remediation, then AC required.

mgr · ‎07-12-2018

Hi Chyps,

Thanks a ton for your clear explanation. This answers my query completely.

mgr · ‎07-16-2018

Hi,

To make myself very sure, Is the below mentioned diagram a valid design for positioning the ISE components? I am planning to position two PSNs one in each data cener. In case, the local PSN fails, the endpoints need to authenticate with the other DC's PSN.

laurathaqi · ‎02-05-2021

Hi @mgr

Did you test your design? Can u please share more information about the outcome of the design in regards the L3 different center deployment of two PSNs, PAN and MnT nodes?

I do have almost the same setup and I would like to understand best practices.

Thank you,

Laura

Marcelo Morais · ‎02-05-2021

Hi @laurathaqi

this is an old post (Jul, 2018) ... so please take a look at the following links:

1. ISE Performance & Scale ... search for Maximum Network Latency Between Nodes (300 ms - ISE 2.1+)

2. ISE Admin Guide 2.7 ... search for Create a Policy Service Node Group ("... make all PSNs in the same local network part of the same Node Group ...")

Hope this helps !!!

laurathaqi · ‎02-05-2021

Hi @Marcelo Morais

Thank you for sharing the information. Highly helpful.

Best wishes,

Laura