by Craig Hyps, Principal Technical Marketing Engineer, Cisco Systems
This is the definitive Cisco Live breakout session to show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement.
When using a Load-Balancer (anyone's) you must ensure a few things.
Each PSN must be reachable by the PAN / MNT directly, without NAT. RADIUS Auth and Accounting traffic from access devices to PSNs should also pass through LB without NAT.
Each PSN Must also be reachable directly from the Client's – for redirections / CWA / Posture, etc…
You may want to generate PSN certs to include the VIP fqdn in the SAN field.
Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
The LoadBalancer(s) get listed as NADs in ISE so their test authentications may be answered.
ISE uses the Layer-3 Address to Identity the NAD, not the NAS-IP-Address in the RADIUS packet. This is the reason to not use SNAT for inbound RADIUS traffic.
Hello, The Firepower with Fxos V 2.3(1.91) has been reported with the following vulnerability on port 443CVE-2018-11763 Fix suggested is to upgrade Apache Server to latest version. How can i achieve this ? Thanks
Hello. When I connected a Cisco 3500 Series Camera to a Cisco 3800 Series Switch, the camera always comes back with a Class C ip address (192.168.X.X) despite the camera having the IP address configured statically. We do no use Class C ips, we use Class A...
When creating a new wlan for personal devices that would authenticate through ISE, they used the integrated ISE guest portal to authenticate users via their active directory credentials. The goal was for ISE to view AD attributes and determine whether a s...
I've got a fairly new Firepower 4110 pair, running ASA 9.12.x software. I noticed that the new chassis doesn't have an LED for Active/Standby. All LEDs on both chassis are always green.
Is this correct or might this be added in a future software...
I'm trying to gather information regarding our VPN and our use of virtual NICs. The current configuration is set up to prevent split tunneling which will disable all NICs on our machine including the virtual ones. Is there a setting present that allows fo...