Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
1
Replies

PSN Identity Source (and Licenses) in a Distributed Environment.

Go to solution
ADEDEJDA
Level 1
Level 1

‎03-29-2022 07:56 AM - edited ‎03-29-2022 08:27 AM

 

 

 

1. I have a requirement to implement a wired/wireless NAC solution targeted at device end entities or IP devices. This will comprise of Workstations, IP Phones that are often attached / detached from the network. Cisco ISE will be integrated with other security sources e.g. SIEM.


2. The target end entity devices are part of a mobile equipment package (comprising Servers & Network equipment) which may be on the move at anytime, anywhere. The target Workstations & IP Phones are connected to an Access Switch/Access Point also within the mobile equipment package.


3. There are more than 30 units of this mobile equipment packages. The mobile equipment package must be able to operate autonomously while still being able to be managed centrally from a static Data Centre location.


4. The PSN will be deployed to a mobile equipment package which communicates over a very limited bandwidth (GPRS - 2G) to a static Data Centre location hosting the PAN (in HA setup) while also expected to operate in a disconnected state (No network connectivity between PAN & PSN).

 

Having explored this two articles:
(i) -- https://community.cisco.com/t5/network-access-control/when-psn-looses-connection-to-both-pan/m-p/3750603#M488127


(ii) -- https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59

 

I have two questions regarding licensing, and distributed identity sources.
A. If identity source(s) is not centralized, and each PSN is to have its own Identity Source hosted (a local Domain Controller) on each mobile equipment package. Will this solution work?

B. Can Passive Identity Service be enabled per local Domain Controller? Ideally, we want active authentication to the local DC.

C. The same constraints applies to licensing, will PSN continue to work if it is disconnected from PAN for up to 72 hours?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-29-2022 08:48 AM

I have two questions regarding licensing, and distributed identity sources.
A. If identity source(s) is not centralized, and each PSN is to have its own Identity Source hosted (a local Domain Controller) on each mobile equipment package. Will this solution work?

  • If this works for the Identity source, then yes, ISE will treat it the same. The other option is to use ISE as the identity source but that would require maintaining static lists in ISE itself. 

 

B. Can Passive Identity Service be enabled per local Domain Controller? Ideally, we want active authentication to the local DC.

  • If you want active authentication then you should be looking at 802.1x/MAB versus passive ID. 

C. The same constraints applies to licensing, will PSN continue to work if it is disconnected from PAN for up to 72 hours?

  • There won't be a licensing issue here, but I would strongly recommend deploying PSNs to networks that will have disconnects as you describe. While ISE can sustain network outages, the product is not designed to be disconnected from the PAN under ordinary circumstances. An ISE PSN that is disconnected for more than 24 hours or a million replication messages will have to be manually re-synced to a deployment upon establishing network connectivity again. This is a survivability feature in which not all features are available, I wouldn't design ISE this way. 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-29-2022 08:48 AM

I have two questions regarding licensing, and distributed identity sources.
A. If identity source(s) is not centralized, and each PSN is to have its own Identity Source hosted (a local Domain Controller) on each mobile equipment package. Will this solution work?

  • If this works for the Identity source, then yes, ISE will treat it the same. The other option is to use ISE as the identity source but that would require maintaining static lists in ISE itself. 

 

B. Can Passive Identity Service be enabled per local Domain Controller? Ideally, we want active authentication to the local DC.

  • If you want active authentication then you should be looking at 802.1x/MAB versus passive ID. 

C. The same constraints applies to licensing, will PSN continue to work if it is disconnected from PAN for up to 72 hours?

  • There won't be a licensing issue here, but I would strongly recommend deploying PSNs to networks that will have disconnects as you describe. While ISE can sustain network outages, the product is not designed to be disconnected from the PAN under ordinary circumstances. An ISE PSN that is disconnected for more than 24 hours or a million replication messages will have to be manually re-synced to a deployment upon establishing network connectivity again. This is a survivability feature in which not all features are available, I wouldn't design ISE this way. 
0 Helpful
Customers Also Viewed These Support Documents