Solved: PSN node Cisco ISE

Tutu · ‎11-05-2020

Hello,

I want to know, are we supposed to create all the policies in the PSN node?

Thanks

Nicolai Borchorst · ‎11-05-2020

Hi

No, the PSN node is responsible for network access request processing, RADIUS, Posture, Profiling, Web Redirection and Guest Portal. In short, all communication from your network environment goes to the PSN for processing.

All configurations such as Policies, Guest Portal, External Identity Stores etc. is done on the PAN (Policy Administration Node) while the MnT (Monitoring & Troubleshooting) node collects logs from your PAN, PSN and Network Devices (NAD's)

Best Regards
Nicolai Borchorst
CCIE Security #65775

View solution in original post

Nicolai Borchorst · ‎11-05-2020

Hi

No, the PSN node is responsible for network access request processing, RADIUS, Posture, Profiling, Web Redirection and Guest Portal. In short, all communication from your network environment goes to the PSN for processing.

All configurations such as Policies, Guest Portal, External Identity Stores etc. is done on the PAN (Policy Administration Node) while the MnT (Monitoring & Troubleshooting) node collects logs from your PAN, PSN and Network Devices (NAD's)

Best Regards
Nicolai Borchorst
CCIE Security #65775

Tutu · ‎11-09-2020

thank u for that,

Also which would u consider the best way to do a user and machine authentication ?

Mohammed al Baqari · ‎11-09-2020

I have used MAR and EAP-FAST with chaining. MAR can be flicky while
chaining will always work from my experience. So I suggest that you go for
chaining with anyconnect as NAM supplicant.

**** please remember to rate useful posts

Tutu · ‎11-09-2020

So I have used eap chaining and I am facing some issues. the endpoint is already using anyconnect for wireless, and when i connect an endpoint to the switch it is not hitting any of the policies I have created for EAP chaining, in fact, it picks up the employee unknown policy for provisioning and does not detect that the endpoint already has anyconnect.

Nicolai Borchorst · ‎11-09-2020

So the Anyconnect NAM module is already deployed for Wireless 802.1X? In that case you need to create an XML profile for Wired 802.1X using EAP-FASTv2 and enable Wired Autoconfig service in Windows.

See this document for reference https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html

Best Regards
Nicolai Borchorst
CCIE Security #65775

Tutu · ‎11-09-2020

No wireless was not configured for ISE, but they use it when connecting to wireless normally, so when i connect my pc it shows that wired anyconnect has been connected but nothing happens after. So not really sure wht is actually going on.

balaji.bandi · ‎11-06-2020

ISE has 3 components - ( Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy and scalability).

Policy Administration Node (PAN)
Monitoring Node (MnT)
Policy Services Node (PSN)

coming to your point - Policy Administration Node is where the administrator configure policies and make changes to the entire ISE system

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help