Cisco ISE architecture includes the following components:
Nodes and persona types
Cisco ISE node—A Cisco ISE node can assume any or all of the
following personas: Administration, Policy Service, Monitoring, or pxGrid
Inline Posture node—A gatekeeping node that takes care of access
policy enforcement
Network resources
Endpoints
The policy information point represents the point at which
external information is communicated to the Policy Service persona. For
example, external information could be a Lightweight Directory Access Protocol
(LDAP) attribute.
The
following figure shows Cisco ISE nodes and personas (Administration, Policy
Service, and Monitoring), an Inline Posture node,
and a policy information point.
Figure 1. Cisco ISE Architecture
Cisco ISE Deployment
Terminology
This guide uses the following terms when discussing Cisco ISE
deployment scenarios:
Term
Definition
Service
A specific feature that a persona provides such as network
access, profiling, posture, security group access, monitoring, and
troubleshooting.
Node
An individual physical or virtual Cisco ISE appliance.
Node Type
A node can be one of two types: A Cisco
ISE node or an Inline Posture node. The node type and persona determine the
type of functionality provided by a node
Persona
Determines the services provided by a node. A Cisco ISE node can
assume any or all of the following personas:
Administration,
Policy Service, and Monitoring. The menu options that are
available through the administrative user interface depend on the role and
personas that a node assumes.
Role
Determines if a node is a standalone, primary, or secondary node
and applies only to Administration and Monitoring nodes.
Node Types and
Personas in Distributed Deployments
In a Cisco ISE
distributed deployment, there are two types of nodes:
Cisco ISE node (Administration, Policy Service, Monitoring)
Inline Posture node
A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment, with the exception of the Inline Posture node, can assume the Administration, Policy Service, pxGrid, and Monitoring personas. In a distributed deployment, you can have
the following combination of nodes on your network:
Primary and secondary Administration nodes for high availability
A pair of Monitoring nodes for automatic failover
One or more Policy Service nodes for session failover
One or more pxGrid nodes for pxGrid services
A pair of Inline Posture nodes for high availability
Administration Node
A Cisco ISE node with the Administration persona
allows you to perform all administrative operations on Cisco ISE. It handles
all system-related configurations that are related to functionality such as
authentication, authorization, and accounting. In a distributed deployment, you
can have a maximum of two nodes running the Administration persona. The
Administration persona can take on the standalone, primary, or secondary role.
Policy Service
Node
A Cisco ISE node with the Policy Service persona provides
network access, posture, guest access, client provisioning, and profiling
services. This persona evaluates the policies and makes all the decisions. You
can have more than one node assume this persona. Typically, there would be more
than one Policy Service node in a distributed deployment. All Policy Service
nodes that reside in the same high-speed Local Area Network (LAN) or behind a
load balancer can be grouped together to form a node group. If one of the nodes
in a node group fails, the other nodes detect the failure and reset any
URL-redirected sessions.
At least one node in your distributed setup should assume the
Policy Service persona.
Monitoring Node
A Cisco ISE node with the Monitoring persona
functions as the log collector and stores log messages from all the
Administration and Policy Service nodes in a network. This persona provides
advanced monitoring and troubleshooting tools that you can use to effectively
manage a network and resources. A node with this persona aggregates and
correlates the data that it collects, and provides you with meaningful reports.
Cisco ISE allows you to have a maximum of two nodes with this persona, and they
can take on primary or secondary roles for high availability. Both the primary
and secondary Monitoring nodes collect log messages. In case the primary
Monitoring node goes down, the secondary Monitoring node automatically becomes
the primary Monitoring node.
At least one node in your distributed setup should
assume the Monitoring persona. We recommend that you do not have the Monitoring
and Policy Service personas enabled on the same Cisco ISE node. We recommend
that the Monitoring node be dedicated solely to monitoring for optimum
performance.
Inline Posture
Node
An Inline Posture node is a gatekeeping node that is positioned
behind network access devices such as wireless LAN controllers (WLCs) and VPN
concentrators on the network. Inline Posture enforces access policies after a
user has been authenticated and granted access, and handles change of
authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco
ISE allows you to have two Inline Posture nodes, and they can take on primary
or secondary roles for high availability.
The Inline Posture node must be a dedicated node. It must be
dedicated solely for Inline Posture service, and cannot operate concurrently
with other Cisco ISE services. Likewise, due to the specialized nature of its
service, an Inline Posture node cannot assume any persona. For example, it
cannot act as an Administration node (offering administration service), or a
Policy Service node (offering network access, posture, profile, and guest
services), or a Monitoring node (offering monitoring and troubleshooting
services).
Inline Posture is not supported on the Cisco SNS 3495 platform.
Ensure that you install Inline Posture on any one of the following supported
platforms:
Cisco ISE 3315
Cisco ISE 3355
Cisco ISE 3395
Cisco SNS 3415
Install an Inline
Posture Node
Before you begin
Download the Inline Posture ISO image from Cisco.com
Configure a certificate for it and register it with the primary
Administration node
Procedure
Procedure
Step 1
Install the Inline Posture ISO image on one of the supported
platforms.
Step 2
Log into the CLI.
Step 3
Configure the certificates for the node.
Step 4
Log into the user interface of the primary Administration node.
Step 5
Register the Inline Posture node.
Inline Posture Node Reuse
If you decide that you no longer need an Inline
Posture node, you cannot add any services or roles to it, but you can change it
to a Cisco ISE node and then assign any persona to it. If you want to reuse an
Inline Posture node, you must first deregister it and then reimage the
appliance and install Cisco ISE on it.
Standalone and
Distributed ISE Deployments
A deployment that has a single Cisco ISE node is called a
standalone deployment. This node runs the Administration,
Policy Service, and Monitoring personas.
A deployment that has more than one Cisco ISE node is called a
distributed deployment. To support failover and to improve
performance, you can set up a deployment with multiple Cisco ISE nodes in a
distributed fashion. In a Cisco ISE distributed deployment, administration and
monitoring activities are centralized, and processing is distributed across the
Policy Service nodes. Depending on your performance needs, you can scale your
deployment. A Cisco ISE node can assume any of the following personas:
Administration, Policy Service, and Monitoring.
An Inline
Posture node cannot assume any other persona, due to its specialized nature and
it must be a dedicated node.
Distributed Deployment Scenarios
Small Network Deployments
Medium-Sized Network Deployments
Large Network Deployments
Small Network Deployments
The smallest Cisco ISE deployment consists of two
Cisco ISE nodes with one Cisco ISE node functioning as the primary appliance in
a small network.
The primary node provides all the configuration,
authentication, and policy capabilities that are required for this network
model, and the secondary Cisco ISE node functions in a backup role. The
secondary node supports the primary node and maintains a functioning network
whenever connectivity is lost between the primary node and network appliances,
network resources, or RADIUS.
Centralized authentication, authorization, and accounting (AAA) operations between clients and the primary Cisco ISE node
are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of the content that resides on the primary
Cisco ISE node with the secondary Cisco ISE node. Thus, your secondary node is current with the state of your primary node.
In a small network deployment, this type of configuration model allows you to configure both your primary and secondary nodes
on all RADIUS clients by using this type of deployment or a similar approach.
Figure 2. Small Network Deployment
As the number of devices, network resources, users, and AAA clients increases in your network environment, you should change
your deployment configuration from the basic small model and use more of a split or distributed deployment model.
Split Deployments
In split Cisco ISE deployments, you continue to
maintain primary and secondary nodes as described in a small Cisco ISE
deployment. However, the AAA load is split between the two Cisco ISE nodes to
optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary)
needs to be able to handle the full workload if there are any problems with AAA
connectivity. Neither the primary node nor the secondary nodes handles all AAA
requests during normal network operations because this workload is distributed
between the two nodes.
The ability to split the load in this way directly
reduces the stress on each Cisco ISE node in the system. In addition, splitting
the load provides better loading while the functional status of the secondary
node is maintained during the course of normal network operations.
In split Cisco ISE deployments, each node can
perform its own specific operations, such as network admission or device
administration, and still perform all the AAA functions in the event of a
failure. If you have two Cisco ISE nodes that process authentication requests
and collect accounting data from AAA clients, we recommend that you set up one
of the Cisco ISE nodes to act as a log collector.
In addition, the split Cisco ISE deployment design
provides an advantage because it allows for growth.
Figure 3. Split Network Deployment
Medium-Sized Network Deployments
As small networks grow, you can keep pace and
manage network growth by adding Cisco ISE nodes to create a medium-sized
network. In medium-sized network deployments, you can dedicate the new nodes
for all AAA functions, and use the original nodes for configuration and logging
functions.
Note
In a medium-sized network deployment, you cannot enable the Policy Service persona on a node that runs the Administration
persona, Monitoring persona, or both. You need dedicated policy service node(s).
As the amount of log traffic increases in a
network, you can choose to dedicate one or two of the secondary Cisco ISE nodes
for log collection in your network.
Figure 4. Medium-Sized Network Deployment
Large Network Deployments
Centralized Logging
We recommend that you use centralized logging for
large Cisco ISE networks. To use centralized logging, you must first set up a
dedicated logging server that serves as a Monitoring persona (for monitoring
and logging) to handle the potentially high syslog traffic that a large, busy
network can generate.
Because syslog messages are generated for outbound
log traffic, any RFC 3164-compliant syslog appliance can serve as the collector
for outbound logging traffic. A dedicated logging server enables you to use the
reports and alert features that are available in Cisco ISE to support all the
Cisco ISE nodes.
You can also consider having the appliances send
logs to both a Monitoring persona on the Cisco ISE node and a generic syslog
server. Adding a generic syslog server provides a redundant backup if the
Monitoring persona on the Cisco ISE node goes down.
Load Balancers
In large centralized networks, you should use a
load balancer, which simplifies the deployment of AAA clients. Using a load
balancer requires only a single entry for the AAA servers, and the load
balancer optimizes the routing of AAA requests to the available servers.
However, having only a single load balancer
introduces the potential for having a single point of failure. To avoid this
potential issue, deploy two load balancers to ensure a measure of redundancy
and failover. This configuration requires you to set up two AAA server entries
in each AAA client, and this configuration remains consistent throughout the
network.
Figure 5. Large Network Deployment
Dispersed Network Deployments
Dispersed Cisco ISE network deployments are most
useful for organizations that have a main campus with regional, national, or
satellite locations elsewhere. The main campus is where the primary network
resides, is connected to additional LANs, ranges in size from small to large,
and supports appliances and users in different geographical regions and
locations.
Large remote sites can have their own AAA
infrastructure for optimal AAA performance. A centralized management model
helps maintain a consistent, synchronized AAA policy. A centralized
configuration model uses a primary Cisco ISE node with secondary Cisco ISE
nodes. We still recommend that you use a separate Monitoring persona on the
Cisco ISE node, but each remote location should retain its own unique network
requirements.
Figure 6. Dispersed Deployment
Considerations for Planning a Network with Several Remote
Sites
Verify if a central or external database is
used, such as Microsoft Active Directory or Lightweight Directory Access
Protocol (LDAP). Each remote site should have a synchronized instance of the
external database that is available for Cisco ISE to access for optimizing AAA
performance.
The location of AAA clients is important.
You should locate the Cisco ISE nodes as close as possible to the AAA clients
to reduce network latency effects and the potential for loss of access that is
caused by WAN failures.
Cisco ISE has console access for some
functions such as backup. Consider using a terminal at each site, which allows
for direct, secure console access that bypasses network access to each node.
If small, remote sites are in close
proximity and have reliable WAN connectivity to other sites, consider using a
Cisco ISE node as a backup for the local site to provide redundancy.
Domain Name System (DNS) should be properly
configured on all Cisco ISE nodes to ensure access to the external databases.
Deployment Size and
Scaling Recommendations
The following table provides guidance on the type of
deployment, number of Cisco ISE nodes, and the type of appliance (small,
medium, large) that you need based on the number of endpoints that connect to
your network.
Table 1. Cisco ISE
Deployment—Size and Scaling Recommendations
Deployment
Type
Number of
Nodes/Personas
Appliance
Platform
Maximum
Number of Dedicated Policy Service Nodes
Number of
Active Endpoints
Small
Standalone
or redundant (2) nodes with Administration, Policy Service, and Monitoring
personas enabled
Cisco ISE 3300 Series
(3315, 3355, 3395)
0
Maximum of 2,000 endpoints
Cisco ISE
3415
0
Maximum of
5,000 endpoints
Cisco ISE
3495
0
Maximum of
10,000 endpoints
Medium
Administration and Monitoring personas on single or redundant
nodes. Maximum of 2 Administration and Monitoring nodes.
Cisco ISE-3355 or
Cisco SNS 3415 appliances for Administration and
Monitoring personas
5
Maximum of
5,000 endpoints
Cisco SNS 3495 appliances for Administration and Monitoring personas
5
Maximum of
10,000 endpoints
Large
Dedicated
Administration node/nodes. Maximum of 2 Administration nodes.
Dedicated
Monitoring node/nodes. Maximum of 2 Monitoring nodes.
Dedicated
Policy Service nodes. Maximum of 40 Policy Service nodes.
Cisco ISE 3395 appliances
for Administration and Monitoring personas
40
Maximum of 100,000
endpoints
Cisco SNS
3495 appliances for Administration and Monitoring personas
40
Maximum of
250,000 endpoints
The following table provides guidance on the type of appliance
that you would need for a dedicated Policy Service node based on the number of
active endpoints the node services.
Table 2. Policy Service Node Size Recommendations
Form Factor
Platform Size
Appliance
Maximum Endpoints
Physical
Small
Cisco ISE-3315
3,000
Cisco SNS-3415
5,000
Medium
Cisco ISE-3355
6,000
Large
Cisco ISE-3395
10,000
Cisco SNS-3495
20,000
Virtual Machine
Small/Medium/Large
Comparable to physical appliance
3,000 to 20,000
The following table
provides the maximum throughput and the maximum number of endpoints that a
single Inline Posture node can support.
Maximum number of endpoints per physical appliance
5,000 to 20,000 (gated by Policy Service nodes)
Maximum throughput per any physical appliance
936 Mbps
Inline Posture
Planning Considerations
A network or system architect must address the
following basic questions when planning to deploy Inline Posture nodes:
Will deployment plans include an Inline
Posture primary-secondary pair configuration? Cisco ISE networks support up to
two Inline Posture nodes configured on a network at any one time.
What type of Inline Posture operating modes
will you choose?
Caution
The untrusted interface on an Inline
Posture node should be disconnected when an Inline Posture node is being
configured. If the trusted and untrusted interfaces are connected to the same
VLAN during initial configuration, and the Inline Posture node boots up after
changing persona, multicast packet traffic gets flooded out of the untrusted
interface. This multicast event can potentially bring down devices that are
connected to the same subnet or VLAN. The Inline Posture node at this time is
in the maintenance mode.
Caution
Do not change the CLI password for Inline Posture node once it
has been added to the deployment. If the password is changed, when you access
the Inline Posture node through the Administration node, a Java exception error
is displayed and the CLI gets locked. You need to recover the password by using
the installation DVD and rebooting the Inline Posture node. Or, you can set the
password to the original one.
If you need to change the password, then deregister the Inline
Posture node from the deployment, modify the password, and then add the node to
the deployment with the new credentials.
Switch and Wireless LAN Controller Configuration Required to Support
Cisco ISE Functions
To ensure that Cisco ISE can interoperate with
network switches and that functions from Cisco ISE are successful across the
network segment, you must configure your network switches with certain required
Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass
(MAB), and other settings.
Feedback