Cisco Identity Services Engine (ISE) is a network security policy management platform. It can act as RADIUS, TACACS+ server and have various features like 802.1x, MAB, Guest, Profiling, Posture, BYOD etc. There are various ways for Cisco ISE deployment. There are basically 4 services ISE have. The services are also know as persona.
1> PAN (Primary Administration Node)
2> MNT (Monitoring and Troubleshooting Node)
3> PSN (Policy service node)
4> pxGrid Controller (PXG)
PAN node is for administration purpose, all the configuration is done from PAN node. There can be maximum two Admin nodes in deployment one will act as primary node and another one will act as secondary node which can be promoted as primary node on-demand or automatically.
MNT node is for collecting all kind of logs from various nodes in a deployment. There can be maximum two MNT nodes (Primary and Secondary) in a deployment.
PSN node is the actual node which provide services RADIUS, TACACS+ to end user. Maximum number of PSN nodes in a deployment can have upto 50 nodes.
pxGrid node is to share the contextual information with other security products like firewall, proxy. Contextual information means user-ip mapping, SGT tag etc.
How to create a distributed Cisco ISE deployment
For this post we will create two node deployment and enable all persona on both nodes. The steps remains the same in case we want to enable different persona on the node. To create a deployment the ISE nodes need to be in same software and patch version, the node may be of different form factor like hardware (even different hardware model), virtual ( on-prem, cloud), the latency between nodes should be less than 300 ms.
First node have host-name as ise-admin and the second node have host-name as ise-mnt. We will keep ise-admin as primary node and ise-mnt as secondary. When we form a cluster we need to login into gui of primary node and add all the node to primary node.
Step 1> Ensure forward and reverse lookup for the nodes are configured and each ISE nodes is able to resolve the forward and reverse entry of other nodes.
Login to CLI of ise-admin and perform nslookup for itself and for secondary node hostname.
Login to CLI of ise-mnt node and perform nslookup for itself and for secondary node hostname
We have verified forward lookup by doing nslookup of ise hostname.
Login to cli of ise-admin and perform nslookup for its own IP address and other node IP address.
Login to CLI of ise-mnt and perform nslookp for its own IP address and other node IP address.
Step 2> Promote the ise-admin node as primary node from standalone. Doing so doesn’t have any impact on the services of the node.
Navigate to Administration > Deployment and select the node click edit, Select Make primary and click save
Under Roles we can see now it shows as PRI(A), PRI(M)
Step 3> Now we will add the second node to the deployment. Navigate to Administration > System > Deployment Click on Register.
Enter the FQDN of the node to be registered, Enter the GUI username and password of the node to be joined.
Once we click on register, we may get a warning if the certificate of the node to be joined is not trusted by the PAN node. Click on Import Certificate and proceed.
Now we need to select the persona we need to enable on this node. For this post we are configuring all three persona on the newly joined node.
If we just want to have secondary admin node just Keep the Administration enabled and disable all other options. If we want to have Secondary MNT node just enable Monitoring button and disable rest. Same thing goes for PSN, pxgrid.
Once we click on register we will see the newly joined node and under status column we will see exclamation mark, node will take some 20-30 min to join and the status will appear as green.
A health deployment look as below, Note the Roles are PRI(A), PRI(M) and SEC(A),SEC(M)
