ISE Sizing and deployment mode

llomjaria · ‎11-14-2023

Hello,

I am working on a project involving ISE design and sizing, and I'd greatly appreciate your insights on a few specific aspects.

Our customer operates two data centers – one in the same country (country A) and another in a different country. All their servers, including Active Directory, are hosted in these data centers. The data centers are interconnected via a site-to-site VPN. Additionally, the customer has two central offices in Country A and approximately 30+ branches. Each branch connects to the data centers using site-to-site VPN, but these connections often experience instability.

Given this setup, I have a few queries:

Maximum Latency for PSN and Active Directory Communication: What is the acceptable maximum latency for Policy Service Nodes (PSN) and Active Directory communication in such an environment? (In case of Large deployment and placing PSN in each branch)
Deployment Mode Factors: When choosing a deployment mode for ISE, what are the key factors to consider in this scenario, especially considering the unstable VPN connections and the geographical dispersion of data centers and branches?
Implementation for Various Services: The customer intends to deploy ISE for a range of services including 802.1X, BYOD, guest access, posture compliance, and device administration. Are there specific considerations or recommendations for such a diverse range of services in a distributed environment like this?

Number of endpoints ~ 10000

balaji.bandi · ‎11-14-2023

check the below guide can help you :

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

llomjaria · ‎11-14-2023

Thank you for quick response!
I have already read this, but there are no answer about the questions I asked (Especially for 1 and 2 questions)

balaji.bandi · ‎11-14-2023

if you look at the document, there is some information related to latency information.

check some Live presentation as exmple : (if you have Live access)

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3432.pdf

I also suggest to contact Local partner for big deployments - since they learned lesson from your region and suggest anything if you missing,. (now a days Latency is good due to biggerl links and fibres and MPLS / VPLS).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier · ‎11-14-2023

Regarding point 3, putting the PSNs as close as possible to the Network devices that use those services is recommended. The Active Directory deployment should use Sites and Services to allow the PSN to connect to the preferred Domain Controllers for resilience.

And then there is failure scenarios - the NADs should have a Primary and Secondary RADIUS/TACACS server configured. If both options were to fail, then at least with wired MAB/802.1X you can implement IBNS 2.0 Policies to keep existing switch sessions alive until one PSN is back again. Any new wired connections would land in the Critical Auth VLAN/dACL - which implies, that it's not really good idea to perform dynamic VLAN assignment - rather hard code the VLANs per access interface, and just return a dACL.

If you have latency then you want to make the 802.1X conversations as short and sweet as possible - therefore also consider enabling the EAP Session Resume and Fast Reconnect features to cut down on the EAP negotiations within a set time. Probably helps most in Wireless scenarios because endpoints perform 802.1X every time they roam (unless some clever wireless tricks are used to improve that too). In other words, make lighter work on your PSNs by spotting chatty traffic and finding strategies to reduce that. Accounting Interim-Updates every 1440 minutes, etc. You might also be surprised how many devices are misbehaving on the network without the user knowing about it (bad device drivers or firmware in docks causing constant re-auths etc.) - eliminate those as well, and you'll improved the responsiveness of the PSNs to do real work.

llomjaria · ‎11-15-2023

Thank you for the helpful information!

I just need to clarify one more: Maximum Latency for PSN and Active Directory Communication?

I cannot find documented information about PSN and AD accepted latency.

Arne Bier · ‎11-15-2023

I was looking in the ISE Alarm configurations, as well as in the AD Health Checks for any mention of latency thresholds. But I could not find any reference. Neither in the ISE Admin Guide. I think that ISE can't really impose an "accepted" latency for things like this because it's quite valid to have some long latencies from time to time. If the AD server is getting hammered, then ISE has to be a bit more patient, and I don't believe it will simply "give up" on the AD lookup in progress. I have never seen this.

One way to test for yourself, would be to setup ISE in the lab and then impose an artificial latency on the link between PSN and the AD (GNS3 has this) .

Slow AD lookups can be a combination of slow DNS, as well as all the various TCP connections to the Domain Controller/Global Gatalog etc. This will of course have an impact in the total authentication time for the endpoint, and if AD lookups are super slow (e.g. multiple seconds) then the cumulative latency experienced on the NAS might cause it to think ISE has failed to reply, and then try another RADIUS server in its Group. That would be bad news. Hence, why Cisco recommends to make RADIUS timeouts 5 seconds (generally) and not 2 seconds.