Re: OT - ISE first deployments / impressions

Nitin,

If you are trying to do anything other than Radius authentication for VPN,
i.e. Posture you will need a dedicated box, called an iPEP, to enforce
posture requirements on any VPN users. For HA you will need 2, more
details in response to your HA question. Posture in ISE requires COA or
change of authorization support, available in newer IOS codes. The Cisco
ASA 8.x code does not have this feature built in yet therefore requiring
the iPEP to force the COA in line between the ASA and the network. The
iPEP has two deployment options, L2 inline and L3 routed.

In your initial question you mentioned 1200 endpoints. Is that total?
including Printers, IP Phones, etc or only users. If 1200 is the true
"total" number you can use two 3315's to enforce the wired policy in
conjunction with the one/two iPEPs for VPN. This design is limited to a
MAX of 2000 endpoints and 5 PDPs. At that point you would have to break
out the PDPs, like the old NAC Server, from the PAP and M&T
(Administration node (like NAC Manager) and Monitoring and
Troubleshooting node). That one 3315 in the DR requires a little more
discussion around WAN bandwidth and load as running distributed services
over that link may saturate the link. Let us know if you want to discuss
more on this, i.e. Speed requirements and traffic profiles. IOS/802.1x
does incorporate a critical vlan feature that could be an option in place
of the DR box in the case that WAN speed is a limiting factor.

In reference to the HA, it is not at all like the old NAC Manager/Server
HA. With the new ISE technology using radius we can leverage server
groups in IOS to give two+ servers to reference in the case that any one
is down, same for VPN (ASA). This option gives redundancy in the case
that the primary server is down, the next server in the group will receive
the radius authentication request. There is also the option to leverage a
load balancer for the radius authentication requests in the event that
there is a large cluster of PDPs. The ISE solution also uses the idea of
cluster groups for the PDP roles. What this allows is information sharing
about all radius sessions between all servers in the cluster group,
therefore if one server dies in the middle of the radius authentication
the other servers in the group can pick up where it left off.

The Administration point or PAP uses HA through a manual failover
(Primary/Secondary) whereas if the primary node is down you have to
manually promote the secondary to the primary role to make any changes.
The caveat to this is that the PDPs can operate independent of the PAP in
a distributed deployment.

Hope that makes it all a little more clear for you.

Chad

On 10/19/11 3:34 PM, "Nitin Venugopal" <nitinsworld_at_gmail.com> wrote:

>Thanks Ryan
>
>1- The requirement for authentication / posture accessment for wired and
>VPN
>- Can one ISE appliance do both the functionalites or does it required
>dedicated ISE for VPN
>
>2- The deisgn i was looking is 2 X ISE 3315 units for Wired Users in
>Production Datacenter & 1 x 3315 ISE in the DR
>
>How does the distibuted architecure and licensing work?
>
>3- I am looking at design High Availilibity ( Active -Standby at
>Production
>Datacenter) how does it work. As there is no concept like in the previous
>release - NAC manager controlling all NAC server and NAC server having
>high
>availibilty.
>
>Regds-Nitin
>
>
>
>
>On Wed, Oct 19, 2011 at 11:15 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> On Wed, Oct 19, 2011 at 15:11:03, Nitin Venugopal wrote:
>> > Subject: Re: OT - ISE first deployments / impressions
>> >
>> > I am also working on a ISE design for 1200 endpoints-
>> >
>> > Have couple of related question-
>> > Does VPN needs a dedicated appliance ?
>>
>> Depends on the overall load I believe, is the deployment for VPN only?
>>You
>> could run all roles on one device.
>>
>> > Does single advance license would suffice 3 standalone units in a
>> > single deployment?
>>
>> Licensing is on end user node count and shared across the appliances
>>that
>> are joined together.
>>
>> > How does the HA work in reality ?
>>
>> I'll let you know what I find on this. Are you asking about shared
>> addressing, replication, role sharing, etc..?
>>
>> >
>> > Appreciate if some one can share more insight on this-
>> >
>>
>> -ryan
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 19 2011 - 16:48:04 ART