Solved: Re: ISE tacacs+ in distributed environment

vaibhgupta157 · ‎04-17-2018

Hi All,

I want to have a distributed deployment of ISE using two physical server with one Device Administration license. I am going to load balance TACACS+ and RADIUS requests between primary and secondary ISE nodes by configuring half of the devices to primary and half to secondary.

Can someone confirm whether secondary ISE can also respond to TACACS+ requests with same license?

agrissimanis · ‎04-17-2018

The concept of Primary and Secondary applies to Administration and Monitoring personas, not to the Policy services persona, which will actually be the one that responds to the RADIUS and TACACS requests.

The Policy Services personas do not use any kind of primary/secondary style failover. If one goes offline, it is up to the network device to detect the failure and switch to using different ISE node.

The Device Administration licence is per deployment, so yes, all nodes with Policy Service persona enabled will serve TACACS requests, if configured to do so.

View solution in original post

agrissimanis · ‎04-17-2018

The concept of Primary and Secondary applies to Administration and Monitoring personas, not to the Policy services persona, which will actually be the one that responds to the RADIUS and TACACS requests.

The Policy Services personas do not use any kind of primary/secondary style failover. If one goes offline, it is up to the network device to detect the failure and switch to using different ISE node.

The Device Administration licence is per deployment, so yes, all nodes with Policy Service persona enabled will serve TACACS requests, if configured to do so.

ghdowner46 · ‎01-14-2020

I am self-admittedly not an ISE expert so with that, I have a question about AAA authentication. Currently all of our switches and network equipment are pointing to tacacs server ISE-PRIMARY which is our Primary Monitoring Node. From what I understand, the "Monitoring Node" doesn't provide TACACS authentication services. Just wondering how this is working but it indeed does. My goal is to point AAA authentication for my network devices to our local Policy Services Node. Any help would be appreciated.

Damien Miller · ‎01-15-2020

TACACS is just a persona that can be enabled on any ISE node. All roles can run on any node, but that's not necessarily aligned with best practices. It comes down to how the deployment was designed, standalone, hybrid, or distributed.

If you only have two nodes then you are running a standalone deployment and it is ok to have device admin running with the mnts.

If you navigate to this page, you can enable/disable personas, you will also see DEVICE ADMIN listed in the services column. DEVICE ADMIN indicates that node has tacacs enabled.
https://<ise primary ip>/admin/#administration/administration_system/administration_system_deployment

ajc · ‎04-17-2018

Based on my understanding, you need a different license for TACACS on ISE. In fact, I would suggest you ISE 2.3 for TACACS services because there are some details supported on this version and NOT the previous ones.

Important to mention that you can assign 2 entries (serial number) to the same license so in case that primary pan fails the secondary can be promoted and no issues with the licensing part would happen. I mean, the license would have the serial number attached of Primary and Secondary PAN.

ajc · ‎04-17-2018

One more detail. To enable TACACS on ISE , check the following box.