Solved: Wireless & ISE Design

ymadheka · ‎06-29-2017

Hi Team,

We are working on an ISE design for a wireless environment. The customer has two locations namely location1 and location2. The client requires the below points to be considered in the design. Can we comply to the points in the design as well as implementation?

VPN connectivity between Location 1 and Location 2 location with redundant ISPs.
One Wireless Controller will be placed at Location 1 location. It will be the primary controller for the Location 1 Access Points. Second Wireless Controller will be placed at Location 2 location. It will be the primary controller for Location 2 Access points.
Location 1 Wireless Controller will be act as a secondary controller for Location 2 access points. If Location 2 controller fails then the AP/client will get hooked to Location 1 controller. Location 2 Wireless Controller will be act as a secondary controller for Location 1 access points. If Location 1 controller fails then the AP/client should get hooked to Location 2 controller.
One DHCP server will be placed at Location 1 and second will be placed at Location 2. Location 1 DHCP server will serve Location 1 clients and Location 2 DHCP Server will serve Location 2 clients. The MAC binding for the clients will be done on the DHCP Server and it will be managed by the clients.
One AAA server will be placed at Location 1. It will act as primary AAA server for Location 1 users and will act as a secondary for Location 2 users in case Location 1 AAA Server fails. Second AAA Server will be placed at Location 2. It will act as primary AAA server for Location 2 users and will act as secondary for Location 1 users in case Location 2 AAA server fails.

Attached is the network diagram for the same.

Kindly advise for the ISE to work in Active-Active mode while each of them acting as a secondary for other location.

Jason Kunst · ‎06-29-2017

You have to keep in mind that only persona that have active and standby are the Admin and monitoring Therefore there can be only one active pan and mnt

The psn functionality is always active

With this in mind this is a common deployment model

Keep in mind the nodes can't have more than 300ms between them

View solution in original post

Jason Kunst · ‎06-29-2017

Not sure of the concern here? PSNs are always active and that's what terminates radius for the wireless NADs

A poor mans load balanced is to point some sites or NADs at PSN1 with PSN2 as backup and others at PSN2 and PSN1 as backup

This is common setup

Can't see PowerPoint easily best to save as an image that opens in the page

ymadheka · ‎06-29-2017

Thanks for the response. Here is the diagram.

The number of endpoints here are not more than 500 hence we have a single primary server with all personas in one location and secondary one at other location. The requirement is to have the ISE server as primary for location 1 and same to be secondary for location 2 only in case ISE server at location 2 fails. As per the deployment guide primary remains active and only in case it goes down the secondary comes up for the functions, here they want both to be active and act as failover for other location.

Jason Kunst · ‎06-29-2017

You have to keep in mind that only persona that have active and standby are the Admin and monitoring Therefore there can be only one active pan and mnt

The psn functionality is always active

With this in mind this is a common deployment model

Keep in mind the nodes can't have more than 300ms between them

ymadheka · ‎06-29-2017

Thanks for the quick response.

So we would be having the primary PAN / MNT with a PSN at one location and secondary PAN / MNT at other location with PSN's configured in the controller for providing the AAA functionality for these locations.

Hope my understanding is correct.

Jason Kunst · ‎06-29-2017

You would have a standalone node at each site configured for high-availability

I'll boxes would run all personas

This is explained in our design guides also part of high-level design