cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1428
Views
0
Helpful
2
Replies

Splitting ISE function per site

Jim Blake
Level 1
Level 1

Consider the existing situation: an ISE cluster is operating in a central site, supporting remote sites. Each site has its own WLC and accesses the internet by DIA. Each site also has MPLS links back to the core site. Each site supports  Guests (Splash Screen) and IEEE802.1x corp clients.

 

The sites are to be separated from the core and to be made (semi)independant. The obvious thing to do would be to spin up a small (VM) ISE pair on each site (Let's also assume the sites each have their own AD domain, possibly part of a large "all-site" forest, so we would need to split the domains off the forest and run them locally too). That would serve the users OK, and would not be impacted by the ISE's lack of multi-tenant administration, because each site would have its own single-site ISE

 

However, is there a way of staying with the existing ISE cluster? (for resons of budget and speed of migration)

 

Can I (with vers 2.7) build different admins, for each site, each with write access only to their own configurations? I could probably build policies that will support different site user populations, with Authentication based upon MAB or IEEE802.1x and authorisation based upon Called Station ID or Internal User Identity, Groups, but there are fundamental security issues there: The Admin users would be able to see everyone's setup, even if they were only able to change their own (is that right?), but worse, anyone from any site would be authenticated (so able to log in) but only have their abilities controlled by authorisation restriction (so not be able to do anything outside their own security area/site, despite being logged on).

 

Has anyone ever tried anything like this? Have you any pointers? I think I'm going to push for site-local ISEs because of the security issues, but can anyone suggest a better way?

 

Thanks

 

Jim

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hi @Jim Blake 

 

ISE does not offer any multi-tenancy features that you are looking for. The system supports distributed processing but only centralised configuration. And you cannot segregate the Admin GUI by region (e.g. Cisco Prime Infrastructure DOMAIN concept).

 

I'd say you'd need to deploy a PAN/MnT/PSN per site and then let those admins get on with it. If they are supposed so stay out of each other's way, then you'll achieve that by deploying the PAN/MnT/PSN on site.  

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Hi @Jim Blake 

 

ISE does not offer any multi-tenancy features that you are looking for. The system supports distributed processing but only centralised configuration. And you cannot segregate the Admin GUI by region (e.g. Cisco Prime Infrastructure DOMAIN concept).

 

I'd say you'd need to deploy a PAN/MnT/PSN per site and then let those admins get on with it. If they are supposed so stay out of each other's way, then you'll achieve that by deploying the PAN/MnT/PSN on site.  

Thanks Arne, you confirmed what I thought was the case...always comforting to know someone has been down the path before :)

Thanks

Jim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: