by Craig Hyps, Principal Technical Marketing Engineer, Cisco Systems
This is the definitive Cisco Live breakout session to show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement.
When using a Load-Balancer (anyone's) you must ensure a few things.
Each PSN must be reachable by the PAN / MNT directly, without NAT. RADIUS Auth and Accounting traffic from access devices to PSNs should also pass through LB without NAT.
Each PSN Must also be reachable directly from the Client's – for redirections / CWA / Posture, etc…
You may want to generate PSN certs to include the VIP fqdn in the SAN field.
Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
The LoadBalancer(s) get listed as NADs in ISE so their test authentications may be answered.
ISE uses the Layer-3 Address to Identity the NAD, not the NAS-IP-Address in the RADIUS packet. This is the reason to not use SNAT for inbound RADIUS traffic.
i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the...
In CLI on ASA 5555-X I cannot figure out which command to use to see the "isakmp keepalive threshold" value set on a tunnel. I know the default is "threshold 10 retry 2" but I want to see if it has been changed on a specific tunnel and I seem to get every...
Hardware: ASAv30Cisco Adaptive Security Appliance Software Version 9.9(2)1 Whenever I try to enter any show run command, for example "show run" or "show run access-list", the CLI terminal hangs up without generating any output and I have to close the...
Hello, I am trying to configure cisco anyconnect VPN on ASA Firewall to enforce a 2fa for the users. I am following a beautiful article posted here in the forums with detailed steps (you can find the link below at the end of this post) however, ...
Hello for everybody. Is it possible to clear all nat counters on cisco asa 5515-x? Auto NAT Policies (Section 2)1 (inside2) to (outside_nat) source static obj-10.18.8.200 interface service tcp www 83translate_hits = 600, untranslate_hits = 31&nb...