Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1842
Views
0
Helpful
5
Replies

ISE PSN License

Go to solution
creserva1
Level 1
Level 1

‎09-27-2018 10:28 AM - edited ‎09-27-2018 10:29 AM

We currently have ISE 1 and ISE 2 in deployment and it is our inside firewall. I am thinking adding additional stand alone ISE3 PSN dedicated just in DMZ zone for guest that are going to be anchor to that zone. It is going to be strictly to be use for sponsored CWA.

 

A base license and endpoints license like if we want to support 100-500 endpoints for guest it is what I need correct?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎09-27-2018 10:43 AM

Also you need to clarify what exactly you’re trying to do? It sounds like you want to stand up a separate ISE deployment for guest only? That’s fine customers do that for total isolation. I would recommend a standalone HA deployment (small) for that.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

Otherwise like tim said. Please look at guest deployment guide for PSN interface options
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

That would need base licenses for guest and all depends on how many you anticipate (would recommend looking at ordering guide as well).
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎09-27-2018 10:33 AM

Instead of standing up another PSN, why not use one of the existing PSNs and put one of the interfaces in the DMZ VLAN? ISE PSNs do not route traffic between interfaces and can serve up the portal on that interface.

Regards,
Tim
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎09-27-2018 10:43 AM

Also you need to clarify what exactly you’re trying to do? It sounds like you want to stand up a separate ISE deployment for guest only? That’s fine customers do that for total isolation. I would recommend a standalone HA deployment (small) for that.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

Otherwise like tim said. Please look at guest deployment guide for PSN interface options
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

That would need base licenses for guest and all depends on how many you anticipate (would recommend looking at ordering guide as well).
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to Timothy Abbott

‎09-27-2018 11:56 AM

This is exactly what we have now. We have two interface on our virtual primary ISE, one is inside and other is in the DMZ were it responds to 8443 cwa portal for guest authentication/authorization. It works great and we think it is perfect.

 

I am trying to convince my boss to purchase it just for the sake of isolating, standalone ISE in the DMZ zone. This includes me gathering how much would cost and the required license. 

 

Does the standalone ISE 3 needs to talk to ISE 1 and ISE 2 from DMZ to the inside for any data?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to creserva1

‎09-27-2018 12:00 PM

A standalone ISE deployment is totally separate and doesn’t talk inside at all. Unless you want it to do something internal ☺ It might be unnecessary as the system as secure. However if you have requirements to total isolate then that’s fine.

Another nice think about separate deployment is you can update it separate from internal if needed for fixes or features down the road.

I would recommend talking to sales about what you should be purchasing as well so they can help design and get the right support and licenses
0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to Jason Kunst

‎09-27-2018 12:09 PM

Got it. How do you handle the management on that ISE? What would be the best practice or ideal into managing an isolated ISE?
0 Helpful
Customers Also Viewed These Support Documents