Solved: [Q] Best Practice Guide - ISE PSN - Centralized vs. Distributed

Jonathan Grim · ‎11-15-2018

Looking for a best practice or reference guide to share with a customer regarding centralized vs. distributed PSNs. The closest guidance that I've found is from the Cisco ISE For BYOD And Secure Unified Access book. Thank you!

Jason Kunst · ‎11-15-2018

The only guide would be the performance and scale cisco live by craig hyps?
https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443
BRKSEC-3699<>

View solution in original post

Arne Bier · ‎11-15-2018

The BRKSEC-3699 tells you a lot about the HOW but not so much about the WHY. It's an excellent resource and one should probably re-read that every quarter or so because it's so dense with knowledge.

I would be interested to hear what your opinions are so far about this topic.

I think that the only reason to distribute the PSN's would be to reduce latency, especially if you need to cover a wide geography and your authentication latency will kill the user experience. We only have 50 PSN's per deployment and that doesn't lend itself to sprinkling PSN's to all branch sites (let's imagine you had 2000 branches world wide). So I think what Cisco IT did was to place PSN's in each continent - (there are CiscoLive presos on this) and that takes care of the latency. But the logging all comes back to the MnT nodes. So it's not a completely distributed concept. Contrast this with Microsoft's NPS server which runs for free in every Windows Server. You can enable NPS in all of your 2000 branches and get a completely distributed architecture (edge computing).

However that concept also has its drawbacks (no central pane glass for management, and of course NPS is not as feature rich as ISE). But does every organisation need such a big hammer as ISE? Maybe not. If you just need a speedy 802.1X authentication server then NPS will probably be sufficient. Not to pick on NPS today, but the management will rear its ugly head and you'll wish you had deployed something like ISE.

Ok that was some thoughts on distributed. What about centralised. Centralised make much more sense to me if you need massive scale but in a geography that can handle the auth latencies (e.g. max 100ms round trip). Centralised PSN's behind a clever load balancer solution ensures that you get the best bang for the buck. You don't want those servers sitting idle scattered all over the country, when you can instruct a load balancer to milk them for what its worth. And you might end up needing fewer PSN's than in the distributed architecture. Also, in a centralised solution you might also be able to leverage the economies of scale of your virtualisation environment.

I have not yet read the book you mentioned (I probably ought to) but these are just some thoughts off the top of my head.

View solution in original post

Jason Kunst · ‎11-15-2018

The only guide would be the performance and scale cisco live by craig hyps?
https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443
BRKSEC-3699<>

Arne Bier · ‎11-15-2018

The BRKSEC-3699 tells you a lot about the HOW but not so much about the WHY. It's an excellent resource and one should probably re-read that every quarter or so because it's so dense with knowledge.

I would be interested to hear what your opinions are so far about this topic.

I think that the only reason to distribute the PSN's would be to reduce latency, especially if you need to cover a wide geography and your authentication latency will kill the user experience. We only have 50 PSN's per deployment and that doesn't lend itself to sprinkling PSN's to all branch sites (let's imagine you had 2000 branches world wide). So I think what Cisco IT did was to place PSN's in each continent - (there are CiscoLive presos on this) and that takes care of the latency. But the logging all comes back to the MnT nodes. So it's not a completely distributed concept. Contrast this with Microsoft's NPS server which runs for free in every Windows Server. You can enable NPS in all of your 2000 branches and get a completely distributed architecture (edge computing).

However that concept also has its drawbacks (no central pane glass for management, and of course NPS is not as feature rich as ISE). But does every organisation need such a big hammer as ISE? Maybe not. If you just need a speedy 802.1X authentication server then NPS will probably be sufficient. Not to pick on NPS today, but the management will rear its ugly head and you'll wish you had deployed something like ISE.

Ok that was some thoughts on distributed. What about centralised. Centralised make much more sense to me if you need massive scale but in a geography that can handle the auth latencies (e.g. max 100ms round trip). Centralised PSN's behind a clever load balancer solution ensures that you get the best bang for the buck. You don't want those servers sitting idle scattered all over the country, when you can instruct a load balancer to milk them for what its worth. And you might end up needing fewer PSN's than in the distributed architecture. Also, in a centralised solution you might also be able to leverage the economies of scale of your virtualisation environment.

I have not yet read the book you mentioned (I probably ought to) but these are just some thoughts off the top of my head.

Jason Kunst · ‎11-16-2018

@Arne Bier well said!

Nadav · ‎11-17-2018

Very informative! Nice write up.

I'd just add that if you are going for a centralized approach, you should make sure that your sizing includes a number of "spare" PSNs so that even if you lose 1 or 2 the rest of the PSNs can manage to pick up the slack without it being detrimental to your demands. Let's say that at worst cast including future sizing you'd need 45 PSNs at least to be available, then have at least 47 PSNs (preferably more) installed. With a centralized approach you definitely get better bang for your buck and you need to use fewer servers to ensure the same MTBF as a distributed deployment.