07-12-2018 07:45 AM
Hi,
We are looking for ISE deployment across two data centers for wired & wireless 802.1x authentication and posture assessment for corporate and VPN users.
Option 1 :
Data center 1:
1. PAN - Primary
2. MnT - Primary
3. PSN - Primary for DC1
Data center 2:
1. PAN - Secondary
2. MnT - Secondary
3. PSN - Primary for DC2
Option 2:
Data center 1:
1. PAN/MnT - Primary
2. PSN - Primary for DC1
Data center 2:
1. PAN/MnT - Secondary
2. PSN - Primary for DC2
Could you help clarify the below queries?
1. Can we put two PSNs in a device group(or we need more than two)?
2. Do we need to have dedicated "in-line posture" node for VPN users? Or can we use the PSN nodes itself?
3. In Option2, can we keep the PAN/MnT nodes across data centers or they have to be in the data centers?
Solved! Go to Solution.
07-12-2018 09:25 AM
Posture services with ISE require AnyConnect--either persistent or temporal agent. ISE can also integrate with other systems which report compliance. For example, ISE can query SCCM or Intune or MDM products regarding an endpoints compliance/posture status that do not entail the use of AnyConnect. However, if require ISE solution to perform the endpoint interrogation and remediation, then AC required.
07-12-2018 08:28 AM
It is hard to say whether you need to dedicate nodes or not since no data provided on size of network. In general, PSNs that are in the same LAN campus would be part of same Node Group.
There is no longer an entity referred to as an Inline Posture node. This was removed many releases ago and the ASA can support Posture for VPN users without it. Traffic does not flow "through" PSNs. PSNs terminate RADIUS and Posture Assessment conversations with NAD and endpoint, respectively.
ISE supports L3 separation of PAN and MNT nodes (or PAN+MNT nodes) for geographic redundancy.
07-12-2018 09:21 AM
Hi Chyps,
Thanks for your response. If i require posture assessment and remediation for Corporate LAN users in addition to VPN users, should i go with Anyconnect agent? Is there any other agent available for this purpose?
07-12-2018 09:25 AM
Posture services with ISE require AnyConnect--either persistent or temporal agent. ISE can also integrate with other systems which report compliance. For example, ISE can query SCCM or Intune or MDM products regarding an endpoints compliance/posture status that do not entail the use of AnyConnect. However, if require ISE solution to perform the endpoint interrogation and remediation, then AC required.
07-12-2018 11:09 PM
Hi Chyps,
Thanks a ton for your clear explanation. This answers my query completely.
07-16-2018 03:07 AM
Hi,
To make myself very sure, Is the below mentioned diagram a valid design for positioning the ISE components? I am planning to position two PSNs one in each data cener. In case, the local PSN fails, the endpoints need to authenticate with the other DC's PSN.
02-05-2021 01:28 AM
Hi @mgr
Did you test your design? Can u please share more information about the outcome of the design in regards the L3 different center deployment of two PSNs, PAN and MnT nodes?
I do have almost the same setup and I would like to understand best practices.
Thank you,
Laura
02-05-2021 09:31 AM
Hi @laurathaqi
this is an old post (Jul, 2018) ... so please take a look at the following links:
1. ISE Performance & Scale ... search for Maximum Network Latency Between Nodes (300 ms - ISE 2.1+)
2. ISE Admin Guide 2.7 ... search for Create a Policy Service Node Group ("... make all PSNs in the same local network part of the same Node Group ...")
Hope this helps !!!
02-05-2021 11:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide