cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

323
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

TrustSec NAD Enrollment via PAC - To PAN or PSN?

What is the official stance with regards to the entities that should be communicating when enrolling an infrastructure device (e.g. access switch) into TrustSec:

infrastructure device to PAN?

or

infrastructure device to PSN?

If it is between the device and the PAN. Then that means enabling RADIUS services on the PAN, which seems to sit outside the deployment configurations the BU is officially stating in the deployment guide for ISE.

For a customer deployment (currently lab phase and testing) we have this working with the PAN.

If it is between the device and the PSN (The PSN is a physical separate server entity) our testing in the lab could not get this to work. Lab has ISE v1.4 running.

Guess that the above question is also applicable to TrustSec CoA's which is currently coming from the PAN. Should it not come from the PSN's?

Regards

Henk

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: TrustSec NAD Enrollment via PAC - To PAN or PSN?

Hi Henk,

NADs should communicate with the PSN for PAC, Env data, and SGACL information.

For ISE to PUSH policy to NADs, this is done through CoA communication from the PAN.  So the additional config on the switch is to add the PAN to the list of servers that are already configured for CoA functions related to posture, RTC, etc.

HTH,

Fay-Ann

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: TrustSec NAD Enrollment via PAC - To PAN or PSN?

Hi Henk,

NADs should communicate with the PSN for PAC, Env data, and SGACL information.

For ISE to PUSH policy to NADs, this is done through CoA communication from the PAN.  So the additional config on the switch is to add the PAN to the list of servers that are already configured for CoA functions related to posture, RTC, etc.

HTH,

Fay-Ann

View solution in original post

Highlighted
Cisco Employee

Re: TrustSec NAD Enrollment via PAC - To PAN or PSN?

Hi Fay-Ann,

thanks for the quick response.

Your answer is clear to me, thanks. We got the PAC enrollment working with the PAN and not the PSN's. Will look to get it working with the PSN's instead. Making use of a load-balancing device logically "in front" of the PSN's (VIP for RADIUS). At the time of testing it might have been something here (there is also a firewall) that prevented it to work with the PSN's.

Regards

Henk