cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
0
Helpful
3
Replies
Beginner

ISE tacacs+ in distributed environment

Hi All,

 

I want to have a distributed deployment of ISE using two physical server with one Device Administration license. I am going to load balance TACACS+ and RADIUS requests between primary and secondary ISE nodes by configuring half of the devices to primary and half to secondary. 

 

Can someone confirm whether secondary ISE can also respond to TACACS+ requests with same license?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ISE tacacs+ in distributed environment

The concept of Primary and Secondary applies to Administration and Monitoring personas, not to the Policy services persona, which will actually be the one that responds to the RADIUS and TACACS requests.

The Policy Services personas do not use any kind of primary/secondary style failover. If one goes offline, it is up to the network device to detect the failure and switch to using different ISE node.

The Device Administration licence is per deployment, so yes, all nodes with Policy Service persona enabled will serve TACACS requests, if configured to do so.

3 REPLIES 3
Highlighted
Beginner

Re: ISE tacacs+ in distributed environment

The concept of Primary and Secondary applies to Administration and Monitoring personas, not to the Policy services persona, which will actually be the one that responds to the RADIUS and TACACS requests.

The Policy Services personas do not use any kind of primary/secondary style failover. If one goes offline, it is up to the network device to detect the failure and switch to using different ISE node.

The Device Administration licence is per deployment, so yes, all nodes with Policy Service persona enabled will serve TACACS requests, if configured to do so.

ajc Frequent Contributor
Frequent Contributor

Re: ISE tacacs+ in distributed environment

Based on my understanding, you need a different license for TACACS on ISE. In fact, I would suggest you ISE 2.3 for TACACS services because there are some details supported on this version and NOT the previous ones.

 

Important to mention that you can assign 2 entries (serial number) to the same license so in case that primary pan fails the secondary can be promoted and no issues with the licensing part would happen. I mean, the license would have the serial number attached of Primary and Secondary PAN.

ajc Frequent Contributor
Frequent Contributor

Re: ISE tacacs+ in distributed environment

One more detail. To enable TACACS on ISE , check the following box.

 

TACACS.png