Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE deployment

hi

if i have a deployment with 3 ISE servers, two of the ISE are working as a standalone primary and secondary and the third as radius proxy for VPN client users. Will the VPN client users be able to benefit from the authorization posturing and profiling features or only they can be authenticated with a local data base or LDAP. in other words will the ISE working as a radius proxy can communicate with the policy personnas on the standalone server. 

Regards;

6 REPLIES
Hall of Fame Super Silver

ISE deployment

ISE questions will probably get more traction in the Security forum.

That said, the answer is "it depends". It all depends on your design. Is your third server a Policy Services Node or an Inline Posture Node (IPEP)? Either way, one of those would generally be positioned so as to provide profiling, posture and enforcement services working in conjunction with the Admin server(s). If a server is not part of the overall architecture, it will not.

All new ISE designs should be based on the Cisco-approved High Level Design (HLD) template. If you follow that and develop your Low Level design based on it, many of the typical questions should be answered.

Hope this helps.

New Member

ISE deployment

In my design, i have 2 standalone servers with all 3 personas "admin, policy and monitioring". i need to put a inline posture node to tap the VPN users, will the vpn client users be able to benefit from the authorization posturing and profiling in this case. In other words will the ISE working as a inline posture can communicate with the policy personnas on the standalone server.

Hall of Fame Super Silver

ISE deployment

Yes, that is how it is intended to be used - subordinate to and enforcing the polices defined in the admin / policy / monitoring systems. Calling any of them stand alone is a bit of a mis-statement though as they all work together to secure your enterprise. None of the servers is truly stand alone in an architecture such as you describe as each is linked to the others and it is as a coherent system that they operate.

New Member

ISE deployment

I don't know whether do I have open new discussion to get my anser or is it OK to post my question here.

We have two ISE nodes working as a primary & secondary node (failover) for all three persona's (Admin, Monitoring & Policy). They are being used to tap wired & wireless users. Now we have requirement to tap VPN users who are being terminated on Cisco ASA. Can we achieve this with existing nodes or do we need separate ISE node to be configured in Inline posture node.

Prompt response highly appreciate.

Thanks

Hall of Fame Super Silver

ISE deployment

You should start a new discusiion, but....

Using current ASA and ISE software, an Inline node is required. That will be the case until ASA code base has the ability to be integrated with ISE - probably sometime early next year with ASA software 9.1.

Please rate helpful posts.

New Member

ISE deployment

Hi Antonio,

You can also check the following link for distributed deployment.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

1837
Views
0
Helpful
6
Replies