Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
2
Replies

Cisco ISE Small Network Deployment

Ahmed.Y.Eissa
Level 1
Level 1

‎01-14-2018 04:17 AM - edited ‎02-21-2020 10:43 AM

having two nodes with cisco ISE 3515, as per below deployment. serving about 1500 user.

 

Capture.PNG

the main focus is to present HA for all personas

i can put all persona as a primary ISE node but as per Cisco recommendation " don't merge between monitoring and PSN"

i was thinking to have upper deployment

  1. node1: primary admin and monitoring and backup PSN based on NAD configuration.
  2. node2: secondary admin and monitoring and primary PSN based on NAD configuration.

Q1 :Does anyone have validated it before?

 

Q2:Second i don't have a load balance but understood from Cisco documentation that creating node group can when PSN is done and its peer detect it is down , peer send CoA to NAD to delete the session and start new one with. ( i think it will  be good as NAD will not wait all timeout to retrieve to the second radius server configured on NAD).

but also as per Cisco documentation says: ( i think it is ok whatever create node group or configure 2 Radius on all NAD)

image.png

Q3:

Client authentication.

dot1x is done based on Client certificate authentication for users, in case of failure of one of this nodes , what is the impact from end user respective?

Does user still access to the network? (sure i think)

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎01-14-2018 04:31 AM - edited ‎01-14-2018 04:33 AM

Hi,

Q1 - Yes, you assumption is perfectly valid in regard to configuring the roles.

Q2 - As far as node groups are concerned, these (as far as I know) are more useful in a large disributed ISE cluster. For example, if you are using posture and in the posture unknown state and the node you are connected to goes down, the other node will send a CoA in order to inform the client and force it to re-establish a session to a working PSN.

Q3 - Configure the NADs to poll the RADIUS servers, if the primary server is detected down, it should be marked down for a specified period, the other radius server would then authenticate sessions. This would be transparent to already logged on users.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-14-2018 07:05 AM

Everything RJI mentioned is correct.

I would add a couple of points:

 

1. Your PSNs are always active from the perspective of the ISE deployment itself. It is only on the NADs (switches and WLCs in your diagram) that the concept of a first and second AAA server comes into play. On Cisco WLCs, generally only the first AAA server for a given WLAN is used. Only when it does not respond to RADIUS authentications will a WLC try to use an alternate configured server. There is no ongoing polling test feature. On Cisco switches, some IOS versions allow for optional round-robin AAA server use. You can also use the polling to actively test the servers' availability.

 

2. The best resource for learning about ISE high availability and scalability are the Cisco Live presentations done by Craig Hyps. See BRKSEC-3699 at www.ciscolive.com

0 Helpful
Customers Also Viewed These Support Documents