I would see this against a

SK _R · ‎11-14-2016

Hello,

I am planning to implement ISE on our network. In the network there are multiple data centers.

Is it possible to have a standalone ISE setup on each data center?

Is it possible to configure NAD with different ISE setups "two unrelated setups"?

Thank you for your help,,

Marvin Rhoads · ‎11-14-2016

Possible yes but not generally a good idea.

ISE is designed with distributed high availability in mind. Just make your deployment 2 (or more) nodes with one node in primary data center and one in the alternate data center.

The PSN persona on a given node is the aaa (RADIUS) server used by a NAD. For ASA and WLC, multiple aaa servers will always try the first one in the list. Only when it is unreachable after 3 tries will the NA try #2 aaa server. Some newer IOS devices can do crude aaa server round robin load balancing on their own.

Vivek Ganapathi · ‎12-07-2016

I would see this against a design guidelines. Also, the manageability of this setup would be a nightmare as you would place individual PAN in each of your datacenter. In order to understand the endpoint state, you would need to determine which PAN you are suppose to login to view the status. There are couple of other issues which may arise

1) Synchronization of the Endpoint Database happens between ISE clusters. In your case, you would have a standalone ISE cluster per DC but your NAD is configured to talk to all the PSNs. In my view, this would create DB inconsistencies.

2) Assuming you would run DHCP profiling. You would be configuring all the PSN IPs as an IP helper address. Now, lets assume your DHCP profiling information was sent to a DC2, but the RADIUS information was to sent to DC1. There is no synchronization of this information between ISE nodes. This would cause issues.

Best design would be to have 2 x Management nodes ; 2 x MnT & multiple PSNs per DC. You can use a load balancer to spread the RADIUS traffic between your DCs.

configure multiple ISE