cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect

ISE TACACS+ Deployment & Sizing Guidance

14242
Views
23
Helpful
0
Comments

 

Deployments

There are 3 ways you can deploy TACACS+ with ISE:

 

  Dedicated Deployments Dedicated PSNs Mixed PSNs
Architecture  
Pros
  • Complete separation of policy & operations for Device Administration vs. Network Access
  • Potential for increased log retention for both deployments
  • Centralized policy, monitoring for all AAA
  • Scale Device Administration independently from Network Access as needed
  • Centralized policy & monitoring for all AAA needs
  • Share resources / reduced $$$
  • Avoid underutilized PSNs
  • Same configuration for all PSNs
  • Scale all AAA needs incrementally by adding a PSN when or where needed
Cons
  • Separate ISE deployments to maintain & monitor
  • Cost of additional PAN and MNT nodes for the second deployment
  • Per-PSN utilization may be low for a dedicated function
  • May need additional PSNs for distributed coverage
  • Potential need for cross-department administrative access depending on the organization
  • Load from Network Access may impact Device Administration services and vice versa

 

Whether you dedicate a separate instance for TACACS+ is more of a security and operational policy decision.  If separated in ACS today, then continue doing so if that model serves you well.  If you wish to combine both TACACS+ Device Administration and RADIUS into same deployment, then dedicating nodes to TACACS+ service may be the best option for a large organization to prevent user services from impacting device admin services and vice versa.

 

Regarding the question as to whether Device Admin service should be run on same PSNs also serving RADIUS, or as a dedicated node, please use the following general guidance:

 

  • For programmatic device admin model, recommend dedicated PSN nodes for Device Admin service.
  • For human device admin model where individual admin users manually login and manage network devices, consider the following example:
  • 20 Device admin concurrent @ 1 command/s = 40 TPS  (command authz + acctng record)
  • In this scenario, it would be acceptable to run Device Admin service on PSNs running other core User services.
  • If expect a much higher level of activity – much higher number of concurrent admins or transactions – then consider dedicating service.

 

Note that organizational requirements and security policies such as “separation of device admin and user access control” may dictate the need for dedicated PSN nodes for Device Admin function, or even an isolated ISE deployment to separate RADIUS and T+ control.

 

 

Scale & Sizing

Please see the ISE Performance & Scale page for a consolidation of ISE performance and scale including per-protocol performance with RADIUS and TACACS+.