Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2986
Views
5
Helpful
9
Replies

ISE for TACACS+ with HA

Go to solution
jifanizz
Cisco Employee
Cisco Employee

‎07-11-2018 06:07 AM

Hi,

I just need a confirmation regarding this very simple use case for ISE.   It's an SP that only requires TACACS+ functionality for device administration for 500 nodes with HA.

I added a single Device Administration license with 500 Base license and positioning the small version of the virtual appliance or physical appliance.

Now, for HA, do I simply double the licenses and appliances?  Is there a HA purchasing option for ISE?  No reference to this in the ordering guide.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jifanizz

‎07-11-2018 09:32 AM

The configuration databases are sync on all ISE nodes in the same deployment. The sizing depends more on the rate of authentications. The minimal would be 2 all-in-one ISE nodes. Please review this Cisco Live session for details:

Designing ISE for Scale & High Availability - BRKSEC-3699

Craig Hyps, Prinicipal Technical Marketing Engineer , Cisco Systems

View solution in original post

9 Replies 9

Go to solution
ognyan.totev
Level 5
Level 5

‎07-11-2018 06:53 AM

For HA you need minimum 2 admin nodes and 1 secondary node .For device administration you need device admin license wich is not count and it is permanent

      Device AdminUncountedPermanent

That you need for tacacs+ and instaled on admin primary node .

0 Helpful

Go to solution
jifanizz
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎07-11-2018 07:02 AM

Hi,

Thanks for the response.  I'm just trying to translate this into a valid BoM that I could provide the client.  From what you say, I understand it as 3 nodes for HA.  Am I correct?

Historically with ACS, we needed two devices and the DB would sync between them.  Can't I replicate this with ISE? 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jifanizz

‎07-11-2018 09:32 AM

The configuration databases are sync on all ISE nodes in the same deployment. The sizing depends more on the rate of authentications. The minimal would be 2 all-in-one ISE nodes. Please review this Cisco Live session for details:

Designing ISE for Scale & High Availability - BRKSEC-3699

Craig Hyps, Prinicipal Technical Marketing Engineer , Cisco Systems

Go to solution
manvik
Level 3
Level 3
In response to hslai

‎05-25-2020 03:29 AM

Hi,

For ISE HA failover in Small Deployment (only two ISE node setups, one in DC & other DR);

  1. Is it true Secondary node need to be promoted manually when Primary node is down
  2. In the case of device authentication, will NAD automatically authenticate to secondary when primary goes down.
0 Helpful

Go to solution
Aileron88
Level 1
Level 1
In response to manvik

‎05-25-2020 06:25 AM

@manvik wrote:

Hi,

For ISE HA failover in Small Deployment (only two ISE node setups, one in DC & other DR);

  1. Is it true Secondary node need to be promoted manually when Primary node is down - That’s correct. You would need a third node to perform the health checks for automatic failover. 

  2. In the case of device authentication, will NAD automatically authenticate to secondary when primary goes down. - Thats also correct, it will be based on radius/tacacs timeouts. You can set up a test authentication at regular intervals to test for any failure on the devices AAA server 

 

0 Helpful

Go to solution
manvik
Level 3
Level 3
In response to Aileron88

‎05-25-2020 11:08 PM

Thank you @Aileron88 

1. If NAD can authenticate to secondary after a failure, what's the purpose of failover

2. For automatic failover, a third monitoring node with base license is enough?

0 Helpful

Go to solution
Aileron88
Level 1
Level 1
In response to manvik

‎05-26-2020 03:14 AM

@manvik wrote:

Thank you @Aileron88 

1. If NAD can authenticate to secondary after a failure, what's the purpose of failover - The failover is not for the PSN services such as RADIUS and TACACS authc/authz. The failover is for the administration services - whilst these services are down you won't be able to perform functions such as new guest authentication or posture.

 

 

2. For automatic failover, a third monitoring node with base license is enough? - The monitoring node can be a PSN, monitoring or pxgrid node (or a combination). Base licenses are consumed for features such as network access, guest access etc - all you'd need to do for the automatic failover is make sure you have the appropriate VM level licenses. One thing to note, if the administration nodes are in different DC's, the recommended design is to have a monitoring node for each admin node. Just to confirm too - when I say monitoring node, I don't mean it has to be a node running the monitoring persona (you can only have two of these), it's just a node that monitors the administration node(s).

 

0 Helpful

Go to solution
manvik
Level 3
Level 3
In response to Aileron88

‎05-27-2020 02:09 AM

Thank you @Aileron88 

Your answers are helping now understand few things. Can you help with below too;

In DC-DR HA, when a NAD authenticates to DR ISE IP will it get authenticated.

0 Helpful

Go to solution
Aileron88
Level 1
Level 1
In response to manvik

‎05-27-2020 02:35 AM

@manvik wrote:

Thank you @Aileron88 

Your answers are helping now understand few things. Can you help with below too;

In DC-DR HA, when a NAD authenticates to DR ISE IP will it get authenticated.

 

No problem, you're welcome. It will if it's running the PSN service.

 

Thanks

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents