cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2528
Views
0
Helpful
6
Replies

ISE deployment

antonio_khoury
Level 1
Level 1

hi

if i have a deployment with 3 ISE servers, two of the ISE are working as a standalone primary and secondary and the third as radius proxy for VPN client users. Will the VPN client users be able to benefit from the authorization posturing and profiling features or only they can be authenticated with a local data base or LDAP. in other words will the ISE working as a radius proxy can communicate with the policy personnas on the standalone server. 

Regards;

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

ISE questions will probably get more traction in the Security forum.

That said, the answer is "it depends". It all depends on your design. Is your third server a Policy Services Node or an Inline Posture Node (IPEP)? Either way, one of those would generally be positioned so as to provide profiling, posture and enforcement services working in conjunction with the Admin server(s). If a server is not part of the overall architecture, it will not.

All new ISE designs should be based on the Cisco-approved High Level Design (HLD) template. If you follow that and develop your Low Level design based on it, many of the typical questions should be answered.

Hope this helps.

In my design, i have 2 standalone servers with all 3 personas "admin, policy and monitioring". i need to put a inline posture node to tap the VPN users, will the vpn client users be able to benefit from the authorization posturing and profiling in this case. In other words will the ISE working as a inline posture can communicate with the policy personnas on the standalone server.

Yes, that is how it is intended to be used - subordinate to and enforcing the polices defined in the admin / policy / monitoring systems. Calling any of them stand alone is a bit of a mis-statement though as they all work together to secure your enterprise. None of the servers is truly stand alone in an architecture such as you describe as each is linked to the others and it is as a coherent system that they operate.

I don't know whether do I have open new discussion to get my anser or is it OK to post my question here.

We have two ISE nodes working as a primary & secondary node (failover) for all three persona's (Admin, Monitoring & Policy). They are being used to tap wired & wireless users. Now we have requirement to tap VPN users who are being terminated on Cisco ASA. Can we achieve this with existing nodes or do we need separate ISE node to be configured in Inline posture node.

Prompt response highly appreciate.

Thanks

You should start a new discusiion, but....

Using current ASA and ISE software, an Inline node is required. That will be the case until ASA code base has the ability to be integrated with ISE - probably sometime early next year with ASA software 9.1.

Please rate helpful posts.

Anas Naqvi
Level 1
Level 1

Hi Antonio,

You can also check the following link for distributed deployment.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

Review Cisco Networking for a $25 gift card