Solved: TC-NAC: dedicated PSN really mandatory?

mabriand · ‎02-08-2018

Hello,

Can you please also clarify if TC-NAC really has to run on a dedicated PSN with no other persona?

This BU maintained page implies TC-NAC on top a RADIUS PSN is possible and provide scaling numbers for this situation:

ISE admin guide however says it has to be a dedicated PSN for TC-NAC with no other persona.

Please kindly advise.

Best Regards,

Martin

Craig Hyps · ‎02-08-2018

Please provide doc reference since that is not correct. See ISE Performance & Scale

There can only be one PSN enabled for TC-NAC, but scale will depend on whether dedicated to that service or other user services enabled.

View solution in original post

Jason Kunst · ‎02-08-2018

Please use this as the ultimate source of truth

This is updated and maintained by the technical marketing team

Admin guide is general guidance

https://communities.cisco.com/docs/DOC-68347?mobileredirect=true#jive_content_id_ISE_22_ThreatCentric_NAC_TCNAC_Scaling

Craig Hyps · ‎02-08-2018

Please provide doc reference since that is not correct. See ISE Performance & Scale

There can only be one PSN enabled for TC-NAC, but scale will depend on whether dedicated to that service or other user services enabled.

mabriand · ‎02-08-2018

Thanks Craig,

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Configure Threat Centric NAC Service [Cisco Identity…<https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_010101.html>

Extract: ”You will need a separate Policy Service Node (PSN) for Threat Centric NAC service. You must enable only Threat Centric NAC persona on this node. “

The same section of the same doc for ISE 2.2 has the same statement.

Have a great day,

Martin

hslai · ‎02-17-2018

I opened a doc bug -- CSCvi04093

Many thanks for reporting it.