Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2683
Views
5
Helpful
2
Replies

ISE - PAN's for Tacacs PSN's for Radius

Go to solution
ShaunGreen
Level 1
Level 1

‎07-14-2021 02:13 AM - edited ‎07-14-2021 02:14 AM

Has anyone any experience of the following?

Currently there are two ISE standalone servers being used for Tacacs for SSH access to switches.

The plan will be to install 3 new PSN's distributed globally and configure 802.1x NAC.

Is it possible to use the 3 PSN's just for Radius and then the two current devices that will be PAN and MnT for the tacacs requests?

 

Will the two current nodes have to be setup as PAN,MnT and PSN?

Or is it better to also use the regional PSN's for Tacacs as well as Radius, I'm not against this idea, the only thing I can think of is I'll need to change the Tacacs configurations on the switches so they point to the regional PAN's instead of the current servers

Interested to hear your advice.

Thanks,
Simon

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-14-2021 06:44 AM

Is it possible to use the 3 PSN's just for Radius and then the two current devices that will be PAN and MnT for the tacacs requests?

-Not without enabling policy service persona on the two current devices, which it sounds like you already have them configured this way.

Or is it better to also use the regional PSN's for Tacacs as well as Radius

-I personally would use the same PSNs for both T+ & radius requests.  

Will the two current nodes have to be setup as PAN,MnT and PSN?

-It sounds like your future deployment/migration will fall under a medium deployment.  You will want to separate the policy service persona from your PAN/MNT service enabled nodes.

-Lastly, take a look at the following resources as they contain really good information relating to deployment/personas/scaling/etc.

Cisco ISE & NAC Resources - Cisco Community

HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-14-2021 06:44 AM

Is it possible to use the 3 PSN's just for Radius and then the two current devices that will be PAN and MnT for the tacacs requests?

-Not without enabling policy service persona on the two current devices, which it sounds like you already have them configured this way.

Or is it better to also use the regional PSN's for Tacacs as well as Radius

-I personally would use the same PSNs for both T+ & radius requests.  

Will the two current nodes have to be setup as PAN,MnT and PSN?

-It sounds like your future deployment/migration will fall under a medium deployment.  You will want to separate the policy service persona from your PAN/MNT service enabled nodes.

-Lastly, take a look at the following resources as they contain really good information relating to deployment/personas/scaling/etc.

Cisco ISE & NAC Resources - Cisco Community

HTH!

Go to solution
ShaunGreen
Level 1
Level 1
In response to Mike.Cifelli

‎07-14-2021 09:14 AM

Thanks for the advice Mike, appreciate it.

We are only talking about 3000 end points (for Radius) Network device a couple of hundred, but they are geographically separated.
Yep, currently the existing two devices are doing the T+ and Radius for wifi guest users.

Yeah, I like the idea of keeping the PAN's and PAN's and then having the PSN's do the T+ and Radius. Means a little re-configuration, but we are also setting up a DNAC (assurance), so gives us an opportunity to put that to good use too.

Thanks again, Simon.

0 Helpful
Customers Also Viewed These Support Documents