Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5585
Views
15
Helpful
7
Replies

PSN node Cisco ISE

Go to solution
Tutu
Level 1
Level 1

‎11-05-2020 11:12 PM

Hello,

 

I want to know, are we supposed to create all the policies in the PSN node?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-05-2020 11:50 PM

Hi

No, the PSN node is responsible for network access request processing, RADIUS, Posture, Profiling, Web Redirection and Guest Portal. In short, all communication from your network environment goes to the PSN for processing. 

All configurations such as Policies, Guest Portal, External Identity Stores etc.  is done on the PAN (Policy Administration Node) while the MnT (Monitoring & Troubleshooting) node collects logs from your PAN, PSN and Network Devices (NAD's) 

Best Regards
Nicolai Borchorst
CCIE Security #65775

View solution in original post

7 Replies 7

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-05-2020 11:50 PM

Hi

No, the PSN node is responsible for network access request processing, RADIUS, Posture, Profiling, Web Redirection and Guest Portal. In short, all communication from your network environment goes to the PSN for processing. 

All configurations such as Policies, Guest Portal, External Identity Stores etc.  is done on the PAN (Policy Administration Node) while the MnT (Monitoring & Troubleshooting) node collects logs from your PAN, PSN and Network Devices (NAD's) 

Best Regards
Nicolai Borchorst
CCIE Security #65775

Go to solution
Tutu
Level 1
Level 1
In response to Nicolai Borchorst

‎11-09-2020 01:50 AM

thank u for that,

 

Also which would u consider the best way to do a user and machine authentication ?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Tutu

‎11-09-2020 08:05 AM

I have used MAR and EAP-FAST with chaining. MAR can be flicky while
chaining will always work from my experience. So I suggest that you go for
chaining with anyconnect as NAM supplicant.


**** please remember to rate useful posts
0 Helpful

Go to solution
Tutu
Level 1
Level 1
In response to Mohammed al Baqari

‎11-09-2020 10:01 AM

So I have used eap chaining and I am facing some issues. the endpoint is already using anyconnect for wireless, and  when i connect an endpoint to the switch it is not hitting any of the policies I have created for EAP chaining, in fact, it picks up the employee unknown policy for provisioning and does not detect that the endpoint already has anyconnect.

0 Helpful

Go to solution
Nicolai Borchorst
Level 1
Level 1
In response to Tutu

‎11-09-2020 10:41 AM

So the Anyconnect NAM module is already deployed for Wireless 802.1X? In that case you need to create an XML profile for Wired 802.1X using EAP-FASTv2 and enable Wired Autoconfig service in Windows.

See this document for reference https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html 

Best Regards
Nicolai Borchorst
CCIE Security #65775
0 Helpful

Go to solution
Tutu
Level 1
Level 1
In response to Nicolai Borchorst

‎11-09-2020 11:00 AM

No wireless was not configured for ISE, but they use it when connecting to wireless normally, so when i connect my pc it shows that wired anyconnect has been connected but nothing happens after. So not really sure wht is actually going on. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-06-2020 01:32 AM

ISE has 3 components - ( Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy and scalability).

 

 

  • Policy Administration Node (PAN)
  • Monitoring  Node (MnT)
  • Policy Services Node (PSN)

 

coming to your point - Policy Administration Node  is where the administrator configure policies and make changes to the entire ISE system

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card