Solved: Re: ISE Distributed Deployment

techno.it · ‎08-30-2023

We are implementing a multi-site ISE deployment across four locations, and our objective is to deploy two ISE PSNs at each site. It's important to note that these PSNs are site-specific, ensuring that users and devices authenticate with their respective local PSNs. Due to the critical nature of our operations and stringent design requirements, it is imperative for us to have a dedicated PSN at each site to eliminate any potential downtime and outages.

Deploy 2x PAN and 2x MNT at our main site to centralize administration and monitoring functions.

We do also plan for 2 x WLC at each site.

At each site, our Active Directory is configured as a child domain, with replication occurring with the parent domain located at our main site.

We have established VPN connections to interconnect all our sites with the main site.

My questions are:

1- Is this an ideal design for ISE deployment, and what are other potential options?
2- Can PSNs work as active/standby, and how do they work without a load balancer if redundancy and failover are required?

3- Is it possible for a combination of physical and virtual appliances to function together, such as having PSN node 1 as a physical appliance and PSN node 2 as a virtual appliance?

Guy Greenshtein · ‎08-31-2023

Hi @techno.it ,

1 - Sounds fine and that it covers to your system requirements and restrictions. You dow however need to make sure to open all relevant firewall policies and ensure sufficient bandwidth for nodes intercommunication.

2 - PAN nodes support Primary/Secondary roles that can also be redundant using PAN failover. PSN however don't have roles and they all serve as "Secondary" from the management perspective. You can use the Node Group function - "...in order to detect node failure and to reset sessions in pending state on the failed node, two or more Policy Service ISE nodes can be placed in the same node group. When a node that belongs to a node group goes down, another node in the same node group issues a CoA for pending sessions on the failed node". In addition, you can configure multiple PSN servers on the user switch and it will also be able to detect and failures and communicate with the rest of the PSNs.

3 - I am now aware of physical/virtual mixing limitation, but yo do need to make sure that they all run the same version and patch level in order to properly operate and sync.

View solution in original post

ahollifield · ‎08-31-2023

Sure, this sounds fine. Just note the maximum PSN count for a deployment is 50.
This is all up the NAD config. Typically the order in which the AAA server is listed in the NAD config is top down, so try the one listed first unless the NAD marks it as down and then move down the list. A load-balancer is always preferred though since it makes things like patching/upgrades/maintenance a breeze.
Yes, as long as they are both the same spec so you can ensure the secondary PSN has enough capacity to handle full failover from the other node.

Guy Greenshtein · ‎08-31-2023

Hi @techno.it ,

1 - Sounds fine and that it covers to your system requirements and restrictions. You dow however need to make sure to open all relevant firewall policies and ensure sufficient bandwidth for nodes intercommunication.

2 - PAN nodes support Primary/Secondary roles that can also be redundant using PAN failover. PSN however don't have roles and they all serve as "Secondary" from the management perspective. You can use the Node Group function - "...in order to detect node failure and to reset sessions in pending state on the failed node, two or more Policy Service ISE nodes can be placed in the same node group. When a node that belongs to a node group goes down, another node in the same node group issues a CoA for pending sessions on the failed node". In addition, you can configure multiple PSN servers on the user switch and it will also be able to detect and failures and communicate with the rest of the PSNs.

3 - I am now aware of physical/virtual mixing limitation, but yo do need to make sure that they all run the same version and patch level in order to properly operate and sync.