cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
867
Views
0
Helpful
4
Replies

ISE Policy Node deployment

bgl-group
Level 1
Level 1

We are building a new site in a test lab in one of our current buildings.
The test lab is able to access most of the rest of the network (some remote sites are not accessible).

I want to configure an ISE policy node in this site I don't think this will cause an issue but I wanted to check first so...

1st question
If I join this unit to the ISE deployment  it will be able to see the admin and monitoring nodes but not some of the remote policy nodes- would this cause a problem for it?

2nd question
The bigger problem might be with the AD integration does the policy node talk to the DCs or is that all handled via the Admin nodes

Thanks

Giles Cooper

1 Accepted Solution

Accepted Solutions

Yes, it will failover to another DC if it is not able to talk to its assigned one. I believe when you set up AD integration, it automatically assigns a DC from the domain based on the initial response, so the new PSN should talk to the DC it can reach (and closest to) only.

More info on that here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.pdf

View solution in original post

4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

1) PSN's talk to each other when they are part of a node group. If they are not, they do not need to communicate with each other as far as I can remember.

2) PSN's do talk to the AD, so this communication needs to be there:

The entire port and communication reference for all nodes is available here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Thanks for that.

So if a PSN can see all of the DCs apart from two if it doesn't get a response then will it try another one?

If it is a bit slower then I don't really mind as it will be a temporary fix.

Yes, it will failover to another DC if it is not able to talk to its assigned one. I believe when you set up AD integration, it automatically assigns a DC from the domain based on the initial response, so the new PSN should talk to the DC it can reach (and closest to) only.

More info on that here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.pdf

Thanks very much for your help.

Giles