Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
2
Replies

ise HA design

mpeeters
Cisco Employee
Cisco Employee

‎11-05-2018 02:02 AM

Reason :

This is an upgrade of 2 x old ACS in standalone mode that had EOS.

We propose 2 X ISE in HA mode for replacement.

My customer would like to minimize changes of other peer system changes like OTP server, AD, SMS…

 

My Setup info :

  • 2 X ISE appliance --> SNS-3515-K9
  • Physically install at two different locations
  • License purchase only one set of the following
    • L-ISE-BSE-500=
    • L-ISE-BSE-1500=
    • L-ISE-TACACS=

 

Questions:-

  1. Can I have the same IP address for both site ISE in HA?

Example

Site-01- Primary ISE --> 10.10.10.1

Site-02- Primary ISE --> 10.10.10.1

 

 

 

  1. If both site ISE with different IP address

      Example

                Site-01- Primary ISE --> 10.10.10.1

                Site-02- Primary ISE --> 10.10.10.2

     If my Radius client setup with 10.10.10.2 be the 1st choice, possible to setup the ISE 10.10.10.2 to reply the request without involve the 10.10.10.1 under normal condition?

      Actually what I mean is both the ISE to server the radius client in active-active stage.

 

0 Helpful
2 Replies 2

yalbikaw
Cisco Employee
Cisco Employee

‎11-05-2018 02:22 AM

Hello :)

 

i would encourage you to read chapter 18 from cisco ISE for BYOD and secure unified access 2nd edition it really dives in this kind of design.

 

now for ISE HA each node will be independent but sharing the configuration 

there is no setup happen when request comes the psn1 the response comes from psn2 because each node will have it own session 

there is only one use case which called group node and it's for specific feature regarding redirect.

i will not talk much about it

 

main idea is to know if  you have two ips 

the availability will be considered from network access device NAD or nas 

 

at the switch, asa ..etc you can configure multiple psn and if one of them failed the request will go the other one and so on.

you can change the orders of them in the network devices to make sure you are utilizing both.

 

Of course you can use load balancer if required in this case you will share one vip there is some modification you need to implement on the balancer to achieve it 

 

Let me know if you need more clarification 

0 Helpful

Arne Bier
VIP
VIP

‎11-05-2018 02:38 AM

As @yalbikaw already said, you cannot have one PSN answer a Radius request, but have another PSN answer the request.  The request has to be handled by the same node.  But in you case it doesn't matter which one, as long as Session services is enabled on both. 

ISE is not responsible for PSN high availability.  Each PSN is a workhorse ready for action - use it, or don't use it.  How you use it is entirely up to the NAS (or the load balancer).  If only two PSN's, then make NAS use PSN1 as Primary, and PSN2 as Secondary.  That is the simplest method. Or, put PSN1 and PSN2 behind a load balancer (and add a heap of complexity) and then configure a VIP (virtual IP) as the one and only radius server in the NAS.

The third option would be to use AnyCast - in that case you can have PSN 1 and PSN 2 have the same IP address.  And then IP routing has to be setup to route the request from the NAS to its nearest PSN (based on AnyCast routing).

 

BRKSEC-3699 on CiscoLive

0 Helpful
Customers Also Viewed These Support Documents