Complete separation of policy & operations for Device Administration vs. Network Access
Potential for increased log retention for both deployments
Centralized policy, monitoring for all AAA
Scale Device Administration independently from Network Access as needed
Centralized policy & monitoring for all AAA needs
Share resources / reduced $$$
Avoid underutilized PSNs
Same configuration for all PSNs
Scale all AAA needs incrementally by adding a PSN when or where needed
Separate ISE deployments to maintain & monitor
Cost of additional PAN and MNT nodes for the second deployment
Per-PSN utilization may be low for a dedicated function
May need additional PSNs for distributed coverage
Potential need for cross-department administrative access depending on the organization
Load from Network Access may impact Device Administration services and vice versa
Whether you dedicate a separate instance for TACACS+ is more of a security and operational policy decision. If separated in ACS today, then continue doing so if that model serves you well. If you wish to combine both TACACS+ Device Administration and RADIUS into same deployment, then dedicating nodes to TACACS+ service may be the best option for a large organization to prevent user services from impacting device admin services and vice versa.
Regarding the question as to whether Device Admin service should be run on same PSNs also serving RADIUS, or as a dedicated node, please use the following general guidance:
For programmatic device admin model, recommend dedicated PSN nodes for Device Admin service.
For human device admin model where individual admin users manually login and manage network devices, consider the following example:
In this scenario, it would be acceptable to run Device Admin service on PSNs running other core User services.
If expect a much higher level of activity – much higher number of concurrent admins or transactions – then consider dedicating service.
Note that organizational requirements and security policies such as “separation of device admin and user access control” may dictate the need for dedicated PSN nodes for Device Admin function, or even an isolated ISE deployment to separate RADIUS and T+ control.
Scale & Sizing
Please see the ISE Performance & Scale page for a consolidation of ISE performance and scale including per-protocol performance with RADIUS and TACACS+.
Application Protection, Availability & Security
Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business.
Our Cisco C170 ESA (Version: 11.0.4-003) is randomly (apparently) ignoring some of the white listing we've put in place. We've opened a case with Cisco support, but I wanted to post on the forum as well. We only white list email addresses. Sometimes our c...
HI All,Looking for some help/advice on cleaning out files in flash. Over time we have an accumulation of files that have been written to flash. I would like to remove the unnecessary/no longer needed files. Some of the files are easily identifiable, by ex...
Good afternoon,This was interesting, here's the scenario (See attached picture for topology): We have a site to site VPN and we have the same topology and configuration on both sites:- Firewall HA Pair configuration- Switches with HSRP with 3 vlans&n...