cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1286
Views
0
Helpful
5
Replies
Highlighted
Beginner

ISE tacacs+ in distributed environment

Hi All,

 

I want to have a distributed deployment of ISE using two physical server with one Device Administration license. I am going to load balance TACACS+ and RADIUS requests between primary and secondary ISE nodes by configuring half of the devices to primary and half to secondary. 

 

Can someone confirm whether secondary ISE can also respond to TACACS+ requests with same license?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ISE tacacs+ in distributed environment

The concept of Primary and Secondary applies to Administration and Monitoring personas, not to the Policy services persona, which will actually be the one that responds to the RADIUS and TACACS requests.

The Policy Services personas do not use any kind of primary/secondary style failover. If one goes offline, it is up to the network device to detect the failure and switch to using different ISE node.

The Device Administration licence is per deployment, so yes, all nodes with Policy Service persona enabled will serve TACACS requests, if configured to do so.

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Re: ISE tacacs+ in distributed environment

The concept of Primary and Secondary applies to Administration and Monitoring personas, not to the Policy services persona, which will actually be the one that responds to the RADIUS and TACACS requests.

The Policy Services personas do not use any kind of primary/secondary style failover. If one goes offline, it is up to the network device to detect the failure and switch to using different ISE node.

The Device Administration licence is per deployment, so yes, all nodes with Policy Service persona enabled will serve TACACS requests, if configured to do so.

View solution in original post

Highlighted
Beginner

Re: ISE tacacs+ in distributed environment

I am self-admittedly not an ISE expert so with that, I have a question about AAA authentication.  Currently all of our switches and network equipment are pointing to tacacs server ISE-PRIMARY which is our Primary Monitoring Node.  From what I understand, the "Monitoring Node" doesn't provide TACACS authentication services.  Just wondering how this is working but it indeed does.  My goal is to point AAA authentication for my network devices to our local Policy Services Node.  Any help would be appreciated.

Highlighted
VIP Advisor

Re: ISE tacacs+ in distributed environment

TACACS is just a persona that can be enabled on any ISE node.  All roles can run on any node, but that's not necessarily aligned with best practices.  It comes down to how the deployment was designed, standalone, hybrid, or distributed.  

 

If you only have two nodes then you are running a standalone deployment and it is ok to have device admin running with the mnts.

If you navigate to this page, you can enable/disable personas, you will also see DEVICE ADMIN listed in the services column.  DEVICE ADMIN indicates that node has tacacs enabled.  
https://<ise primary ip>/admin/#administration/administration_system/administration_system_deployment

Highlighted
Frequent Contributor
Frequent Contributor

Re: ISE tacacs+ in distributed environment

Based on my understanding, you need a different license for TACACS on ISE. In fact, I would suggest you ISE 2.3 for TACACS services because there are some details supported on this version and NOT the previous ones.

 

Important to mention that you can assign 2 entries (serial number) to the same license so in case that primary pan fails the secondary can be promoted and no issues with the licensing part would happen. I mean, the license would have the serial number attached of Primary and Secondary PAN.

Highlighted
Frequent Contributor
Frequent Contributor

Re: ISE tacacs+ in distributed environment

One more detail. To enable TACACS on ISE , check the following box.

 

TACACS.png