This chapter describes several network deployment scenarios, provides information about how to deploy the Cisco Identity Services Engine (ISE) SNS 3400 Series appliance and its related components, and provides a pointer to the switch and Wireless LAN Controller configurations that are needed to support Cisco ISE. This chapter contains the following sections:
Cisco ISE architecture includes the following components:
Nodes and persona types
– Cisco ISE node—A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, or Monitoring
– Inline Posture node—A gatekeeping node that takes care of access policy enforcement
NoteFigure 1-1 shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an Inline Posture node, and a policy information point.
The policy information point represents the point at which external information is communicated to the Policy Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute.
Figure 1-1 Cisco ISE Architecture
Network Deployment Terminology
The following terms are commonly used when discussing Cisco ISE deployment scenarios:
Service—A service is a specific feature that a persona provides such as network access, profiling, posture, security group access, monitoring, and troubleshooting.
Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and as software that can be run on VMware.
Node Type—A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node type and persona determine the type of functionality provided by a node.
Persona—The persona or personas of a node determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. The menu options that are available through the administrative user interface depend on the role and personas that a node assumes.
Role—The role of a node determines if it is a standalone, primary, or secondary node and applies only to Administration and Monitoring nodes.
Node Types and Personas in Distributed Deployments
In a Cisco ISE distributed deployment, there are two types of nodes:
Cisco ISE node—Administration, Policy Service, Monitoring
Inline Posture node
A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment, with the exception of the Inline Posture node, can assume the Administration, Policy Service, and Monitoring personas. In a distributed deployment, you can have the following combination of nodes on your network:
Primary and secondary Administration nodes for high availability
A pair of Monitoring nodes for automatic failover
One or more Policy Service nodes for session failover
A pair of Inline Posture nodes for high availability
A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE. It handles all system-related configurations that are related to functionality such as authentication, authorization, and accounting. In a distributed deployment, you can have one or a maximum of two nodes running the Administration persona. The Administration persona can take on the standalone, primary, or secondary role.
Policy Service Node
A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and provides network access to endpoints based on the result of the policy evaluation. You can have more than one node assume this persona. Typically, there is more than one Policy Service node in a distributed deployment. All Policy Service nodes that reside behind a load balancer share a common multicast address and can be grouped to form a node group. If one of the nodes in a node group goes down, the other nodes detect the failure and reset any pending sessions.
At least one node in your distributed setup should assume the Policy Service persona.
A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports. Cisco ISE allows you to have a maximum of two nodes with this persona, and they can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary Monitoring node.
At least one node in your distributed setup should assume the Monitoring persona. We recommend that you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.
Inline Posture Node
An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline Posture nodes, and they can take on primary or secondary roles for high availability.
The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service, and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. For example, it cannot act as an Administration node (offering administration service), or a Policy Service node (offering network access, posture, profile, and guest services), or a Monitoring node (offering monitoring and troubleshooting services).
Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture on any one of the following supported platforms: Cisco ISE 3315, Cisco ISE 3355, Cisco ISE 3395, or Cisco SNS 3415.
Inline Posture Node Installation
You must download the Inline Posture ISO image from Cisco.com and install it on any of the supported platforms, configure certificates through the CLI, and register this node from the user interface of the primary Administration node.
Note You cannot access the web-based user interface of the Inline Posture nodes. You can configure them only from the primary Administration node.
If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it, but you can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline Posture node, you must first deregister it and then reimage the appliance and install Cisco ISE, Release 1.2, on it.
Standalone and Distributed Deployments
A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas.
A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a distributed fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. A Cisco ISE node can assume any of the following personas: Administration, Policy Service, and Monitoring. An Inline Posture node cannot assume any other persona, due to its specialized nature and it must be a dedicated node.
The smallest Cisco ISE deployment consists of two Cisco ISE nodes as shown in Figure 1-2, with one Cisco ISE node functioning as the primary appliance in a small network.
Note Concurrent endpoints represent the total number of supported users and devices. Concurrent endpoints can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.
The primary node provides all the configuration, authentication, and policy capabilities that are required for this network model, and the secondary Cisco ISE node functions in a backup role. The secondary node supports the primary node and maintains a functioning network whenever connectivity is lost between the primary node and network appliances, network resources, or RADIUS.
Centralized authentication, authorization, and accounging (AAA) operations between clients and the primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus, your secondary node is current with the state of your primary node. In a small network deployment, this type of configuration model allows you to configure both your primary and secondary nodes on all RADIUS clients by using this type of deployment or a similar approach.
Figure 1-2 Small Network Deployment
As the number of devices, network resources, users, and AAA clients increases in your network environment, you should change your deployment configuration from the basic small model and use more of a split or distributed deployment model, as shown in Figure 1-3.
Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration persona.
In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor the secondary nodes handles all AAA requests during normal network operations because this workload is distributed between the two nodes.
The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In addition, splitting the load provides better loading while the functional status of the secondary node is maintained during the course of normal network operations.
In split Cisco ISE deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions in the event of a failure. If you have two Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector. Figure 1-3 shows the secondary Cisco ISE node in this role.
Figure 1-3 Split Network Deployment
In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for growth, as shown in Figure 1-4.
Medium-Sized Network Deployments
As small, local networks grow, you can keep pace and manage network growth by adding Cisco ISE nodes to create a medium-sized network. In medium-sized network deployments, you can dedicate the new nodes for all AAA functions, and use the original nodes for configuration and logging functions.
As the amount of log traffic increases in a network, you can choose to dedicate one or two of the secondary Cisco ISE nodes for log collection in your network.
Figure 1-4 Medium-Sized Network Deployment
Large Network Deployments
We recommend that you use centralized logging (as shown in Figure 1-5) for large Cisco ISE networks. To use centralized logging, you must first set up a dedicated logging server that serves as a Monitoring persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy network can generate.
Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog appliance can serve as the collector for outbound logging traffic. A dedicated logging server enables you to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes. See “Cisco ISE Setup Program Parameters” section when configuring the Cisco ISE software to support a dedicated logging server.
You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoring persona on the Cisco ISE node goes down.
In large centralized networks, you should use a load balancer (as shown in Figure 1-5), which simplifies the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes the routing of AAA requests to the available servers.
However, having only a single load balancer introduces the potential for having a single point of failure. To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client, and this configuration remains consistent throughout the network.
Figure 1-5 Large Network Deployment
Dispersed Network Deployments
Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and users in different geographical regions and locations.
Large remote sites can have their own AAA infrastructure (as shown in Figure 1-6) for optimal AAA performance. A centralized management model helps maintain a consistent, synchronized AAA policy. A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique network requirements.
Figure 1-6 Dispersed Deployment
Before You Plan a Network with Several Remote Sites
Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the external database that is available for Cisco ISE to access for optimizing AAA performance.
The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible to the AAA clients to reduce network latency effects and the potential for loss of access that is caused by WAN failures.
Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site, which allows for direct, secure console access that bypasses network access to each node.
If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, consider using a Cisco ISE node as a backup for the local site to provide redundancy.
Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access to the external databases.
Deployment Size and Scaling Recommendations
This section provides guidance on the size of the physical and virtual machine appliances that you would need for your deployment based the number of endpoints that connect to your network. Table 1-1 provides guidance on the type of deployment, number of Cisco ISE nodes, and the type of appliance (small, medium, large) that you need based on the number of endpoints that connect to your network.
Table 1-1 Cisco ISE Deployment—Size and Scaling Recommendations
Number of Nodes/Personas
Maximum Number of Dedicated Policy Service Nodes
Number of Active Endpoints
Standalone or redundant (2) nodes with Administration, Policy Service, and Monitoring personas enabled.
Cisco ISE 3300 Series (3315, 3355, 3395)
Maximum of 2,000 endpoints
Cisco ISE 3415
Maximum of 5,000 endpoints
Cisco ISE 3495
Maximum of 10,000 endpoints
Administration and Monitoring personas on single or redundant nodes. Maximum of 2 Administration and Monitoring nodes.
Cisco ISE-3355 or Cisco SNS 3415 appliances for Administration and Monitoring personas
Maximum of 5,000 endpoints
Cisco ISE 3395 or Cisco SNS 3495 appliances for Administration and Monitoring personas
Maximum of 10,000 endpoints
Dedicated Administration node/nodes. Maximum of 2 Administration nodes.
Dedicated Monitoring node/nodes. Maximum of 2 Monitoring nodes.
Cisco ISE 3395 appliances for Administration and Monitoring personas
Maximum of 100,000 endpoints
Cisco SNS 3495 appliances for Administration and Monitoring personas
Maximum of 250,000 endpoints
Table 1-2 provides guidance on the type of appliance that you would need for a dedicated Policy Service node based on the number of active endpoints the node services.
Table 1-2 Policy Service Node Size Recommendations
Comparable to physical appliance
3,000 to 20,000
Table 1-3 provides the maximum throughput and the maximum number of endpoints that a single Inline Posture node can support.
Maximum number of endpoints per physical appliance
5,000 to 20,000 (gated by Policy Service nodes)
Maximum throughput per any physical appliance
Inline Posture Planning Considerations
A network or system architect is responsible for researching the issues involved in Inline Posture deployment to determine what best suits network requirements.
A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes:
Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.
What type of Inline Posture operating modes will you choose?
The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets flooded out of the untrusted interface. This multicast event can potentially bring down devices that are connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.
Do not change the CLI password for Inline Posture node once it has been added to the deployment. If the password is changed, when you access the Inline Posture node through the Administration node, a Java exception error is displayed and the CLI gets locked. You need to recover the password by using the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original one.
If you need to change the password, then deregister the Inline Posture node from the deployment, modify the password, and then add the node to the deployment with the new credentials.
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are successful across the network segment, you must configure your network switches with certain required Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and other settings.