A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE. It handles all system-related configurations that are related to functionalities such as authentication, authorization, auditing, and so on.

In a distributed deployment, you can have a maximum of two nodes running the Administration persona. The Administration persona can take on of these roles—standalone, primary, or secondary.

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates policies and makes decisions.

You can have more than one node assume this persona. Typically, distributed deployments have more than one Policy Service node.

You can group all Policy Service nodes that reside in the same high-speed local area network (LAN) or are behind a load balancer as a node group. If one node in a group fails, the other nodes detect the failure and reset URL-redirected sessions.

At least one node in your distributed setup should assume the Policy Service persona.

A Cisco ISE node with the Monitoring persona

• functions as the log collector and stores log messages from all the Administration and Policy Service nodes.

• provides advanced monitoring and troubleshooting tools to effectively manage a network and resources.

• aggregates and correlates the data that it collects, and provides meaningful reports

You can have a maximum of two nodes with this persona, and they can take on primary or secondary roles for high availability. In case the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary Monitoring node.

At least one node in your distributed setup should assume the Monitoring persona. We recommend that you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.

You can use Cisco pxGrid to share the context-sensitive information from Cisco ISE session directory with other network systems such as ISE ecosystem partner systems and other Cisco platforms. The pxGrid framework can also be used to exchange policy and configuration data between nodes, such as sharing tags and policy objects between Cisco ISE and third-party vendors, and for other information exchanges. Cisco pxGrid also allows third-party systems to invoke adaptive network control actions to quarantine users or devices in response to a network or security event.

TrustSec information, such as tag definition, value, and description, can be passed from Cisco ISE to other networks through the TrustSec topic. You can publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid.

Endpoint profiles with fully qualified names (FQNs) can be passed from Cisco ISE to other networks through an endpoint profile meta topic. Cisco pxGrid also supports bulk download of tags and endpoint profiles.

In a high-availability configuration, pxGrid servers replicate information between nodes through the PAN. When the PAN goes down, the pxGrid server stops handling client registration and subscription. You must manually promote the PAN to activate the pxGrid server.

Note	Only the clients that are part of the groups included in the policy can subscribe to the service specified in that policy.

In split deployments, the AAA load is split between the primary and secondary nodes to optimize the AAA workflow.

Each node must be able to handle the full workload if there are any problems with AAA connectivity. During normal network operations, neither the primary node nor the secondary node handles all AAA requests, because the workload is distributed between the two nodes.

Split deployment provides better load distribution and ensures that the secondary node remains functional during normal network operations. This design also supports deployment expansion.

In split deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions if a failure occurs. If two nodes process authentication requests and collect accounting data from AAA clients, configure one node to act as a log collector.

We recommend that you use centralized logging for large Cisco ISE networks. To use centralized logging, you must first set up a dedicated logging server that acts as a Monitoring node to handle the potentially high syslog traffic that a large, busy network can generate.

You can use an RFC 3164-compliant syslog appliance to collect the syslog messages generated for outbound log traffic.

You can also consider having the appliances send logs to both a Monitoring node and a generic syslog server. A generic syslog server provides redundant backup if the Monitoring node goes down.

You can load balancers for large centralized networks to optimize the routing of AAA requests to the available servers.

Having only a single load balancer creates a single point of failure in the system. To avoid this potential issue, deploy two load balancers to ensure redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client.

Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides. It is connected to additional LANs, ranges in size from small to large, and supports appliances and users in different geographical regions and locations.

Large remote sites can have their own AAA infrastructure for optimal AAA performance. Use a centralized management model to maintain a consistent, synchronized AAA policy. A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes.