Would it be possible to have 1 admin, 1 monitor, and then 1 admin/monitor backup? I am getting ready for a large deployment and I can deploy 6 servers between 2 DCs. I have 25,000 base licenses and a TACACs license, and I was going to deploy:
1 admin/monitor backup
3 policy nodes
Based on my own experience with a very large deployment (+12 ISE devices / +60K concurrent sessions / 300K+ devices profiled).
1.-DO NOT combine secondary PAN & MTN on the same Node
2.-DO NOT use 3495 for PAN or MNT. I would strongly suggest to go with 3595 so you would not have to invest again in the short term when you realize the 3495 is not enough for the amount of data.
3.-USE version 2.3 which has significant bugs already fixed.
4.-USE individual Nodes for each persona including secondary roles
5.-3 POLICY Nodes should be good enough for 25K endusers because 3495 PSN's can handle 20K x node.
6.-CONSIDER an F5 or similar solution for loadbalancing the traffic AND smooth failover. Round Robin DNS when using CWA or Webauth does not work properly. WLC does not have an actual load balancing mechanism.
hoping this helps.