Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
0
Helpful
2
Replies

TrustSec NAD Enrollment via PAC - To PAN or PSN?

Go to solution
hpretori
Cisco Employee
Cisco Employee

‎05-24-2016 05:47 AM

What is the official stance with regards to the entities that should be communicating when enrolling an infrastructure device (e.g. access switch) into TrustSec:

infrastructure device to PAN?

or

infrastructure device to PSN?

If it is between the device and the PAN. Then that means enabling RADIUS services on the PAN, which seems to sit outside the deployment configurations the BU is officially stating in the deployment guide for ISE.

For a customer deployment (currently lab phase and testing) we have this working with the PAN.

If it is between the device and the PSN (The PSN is a physical separate server entity) our testing in the lab could not get this to work. Lab has ISE v1.4 running.

Guess that the above question is also applicable to TrustSec CoA's which is currently coming from the PAN. Should it not come from the PSN's?

Regards

Henk

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
faylee
Cisco Employee
Cisco Employee

‎05-24-2016 06:20 AM

Hi Henk,

NADs should communicate with the PSN for PAC, Env data, and SGACL information.

For ISE to PUSH policy to NADs, this is done through CoA communication from the PAN.  So the additional config on the switch is to add the PAN to the list of servers that are already configured for CoA functions related to posture, RTC, etc.

HTH,

Fay-Ann

View solution in original post

0 Helpful
2 Replies 2

Go to solution
faylee
Cisco Employee
Cisco Employee

‎05-24-2016 06:20 AM

Hi Henk,

NADs should communicate with the PSN for PAC, Env data, and SGACL information.

For ISE to PUSH policy to NADs, this is done through CoA communication from the PAN.  So the additional config on the switch is to add the PAN to the list of servers that are already configured for CoA functions related to posture, RTC, etc.

HTH,

Fay-Ann

0 Helpful

Go to solution
hpretori
Cisco Employee
Cisco Employee
In response to faylee

‎05-24-2016 06:27 AM

Hi Fay-Ann,

thanks for the quick response.

Your answer is clear to me, thanks. We got the PAC enrollment working with the PAN and not the PSN's. Will look to get it working with the PSN's instead. Making use of a load-balancing device logically "in front" of the PSN's (VIP for RADIUS). At the time of testing it might have been something here (there is also a firewall) that prevented it to work with the PSN's.

Regards

Henk

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents