by Craig Hyps, Principal Technical Marketing Engineer, Cisco Systems
This is the definitive Cisco Live breakout session to show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement.
When using a Load-Balancer (anyone's) you must ensure a few things.
Each PSN must be reachable by the PAN / MNT directly, without NAT. RADIUS Auth and Accounting traffic from access devices to PSNs should also pass through LB without NAT.
Each PSN Must also be reachable directly from the Client's – for redirections / CWA / Posture, etc…
You may want to generate PSN certs to include the VIP fqdn in the SAN field.
Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
The LoadBalancer(s) get listed as NADs in ISE so their test authentications may be answered.
ISE uses the Layer-3 Address to Identity the NAD, not the NAS-IP-Address in the RADIUS packet. This is the reason to not use SNAT for inbound RADIUS traffic.
Hi Guys, Just reading about ISE profiling I got a little bit confused , I can imagine a case where CWA is configured on ISE along with Profiling (whatever probes enabled). I know that CWA consist of two phases and phase 1 main goal is to r...
I have established OSPF neighbors with ASAv and routers Outside, dmz_b, inside_1 and inside2.Each router has its own loopback interface from 188.8.131.52 to 184.108.40.206 as below showed. But 220.127.116.11 cannot establish OSPF neighbor of ASAv. But I have adve...
Hi, I am getting a pop up from 'Cisco Anyconnect Secure Mobility Client' on my Mac which says "The VPN client agent was unable to create the client DNS plugin manager.". I have uninstalled Cisco Anyconnect Secure Mobility Client but I'm still g...
I have a new Firepower 1120 that is working today after some help from members of the community. I have found that all of my Windows systems running IPv4 have proper DNS records and can access URLs on the outside. But any device that is IPv6 d...