|
Table Of Contents
Understanding the ISE Server Deployment
Medium ISE Network Deployments
Dispersed ISE Network Deployments
Understanding Setting Up an ISE Server
Understanding the ISE Server Deployment
This chapter provides an overview of possible Cisco Identity Services Engine (ISE) server deployments, the components involved, and contains the following sections:
•Understanding Setting Up an ISE Server
Deployment Scenarios
This section describes three scenarios in which ISE might be deployed in a distributed deployment:
•Small ISE Network Deployments
•Medium ISE Network Deployments
•Large ISE Network Deployments
We need a table that defines network sizes based on concurrent users, number of supported sessions, number of endpoints, volume of traffic, number of servers, is HA part of this equation, and/or some other means that describe what constitutes a small, medium, or large network.
This chapter needs input and technical information from TMEs, DEV, and other teams to make it Beta ready.
To set up Cisco ISE in a distributed environment, ISE provides various services based on the role that the server will play and you can configure a single or multiple roles for each ISE instance. An ISE instance can perform one or more of the following roles:
•PAP—the Policy Administration Point (or PAP) is the administrative service that runs on ISE. If you want to set up a distributed deployment, you must configure it using the primary PAP user interface (UI). All configurations related to authentication, authorization, auditing, and other supported ISE services must be made on the primary PAP.
All configuration changes are replicated to the secondary ISE server nodes that you can add to the deployment through the primary PAP. PAP can function as a primary, secondary, or standalone server (standalone PAP servers are not considered part of the deployment). You can have more than one PAP, but there can only be a single primary PAP in your deployed system. All other PAP servers are designated as secondary in your deployment.•PDP—the Policy Decision Point (or PDP) is the runtime component that provides network access, posture, guest access, and profiling services. This component evaluates the policies and makes all the decisions.
•iPEP—TBD
•M&T—the Monitoring and Troubleshooting (M&T) component of ISE acts as the log collector and it stores log messages from all of the PAP and PDP servers in your network. M&T provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.
An M&T node aggregates and correlates data that it collects and provides you with meaningful information in the form of reports. ISE allows you to have two M&T instances configured in an active-standby pair in a high availability mode. Both the active and standby M&T instances will collect log messages. In this mode, if the active M&T node goes down the standby M&T node automatically becomes the active node and performs that role.
Note You can have only one primary PAP server in your deployment. The other ISE servers are secondary servers that can be configured for one or more of the roles just described. When the primary PAP server is lost, you must promote one of the secondary PAP servers to become the primary PAP. ISE supports the promotion of any secondary PAP server to serve as the primary PAP server.
Once the ISE installation has been completed, you must configure one of your Cisco ISE instances as the primary PAP. You can edit the primary PAP and enable any service that you want to run on the primary. You can register the secondary PAP servers and edit their configuration profiles using the primary PAP's UI. After you install a secondary PAP server, ISE immediately creates a database link between the primary and the secondary server for replicating and synchronizing all changes.
In addition, you can remove a node from the deployment using a two-step process. You must first deregister the node, and then secondly, delete it from the deployment. When you deregister a node from the primary, the deregistered node's status changes to Standalone.
Any connection between the primary and the secondary server is lost, which means that no replication updates are sent to the Standby node. However, the deregistered secondary node still displays in the primary PAP's UI. To remove the node, you must delete it after you have deregistered it. To register a deregistered node back with the PAP, you must first reset the database configuration on the node and bring it back to a freshly installed node state and then register it again.
For more information on ISE server services, refer to the User Guide for the Cisco Identity Services Engine, Release 1.0. For more information on resetting the configuration of a node, refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.
Small ISE Network Deployments
The smallest and most basic ISE deployment consists of two ISE servers as shown in Figure 1-1, with one ISE server functioning as the primary server in a small network supporting less than 500 concurrent users. The primary server provides all of the configuration, authentication, and policy capabilities required for this network model.
The second ISE server functions in a backup role supporting the primary server and maintaining a functioning network whenever connectivity is lost between secondary network servers, network resources, or RADIUS (where it performs centralized authentication, authorization, and accounting) clients and the primary ISE server. A key requirement is to ensure that you synchronize or replicate the content of the primary ISE server with the secondary ISE server.
The purpose for this is to keep the secondary server current with state of the primary server. In a small-sized network deployment, this configuration model allows you to configure your primary and secondary servers on all RADIUS clients using a similar approach.
Note All subsequent references to AAA in this guide means RADIUS authentication, authorization, and accounting operations.
Figure 1-1 Small ISE Network Deployment
As the number of devices, network resources, users, and AAA clients increases in your network environment, Cisco recommends changing your deployment configuration from the basic small-sized model and using more of a split or distributed deployment model as shown in Figure 1-2.
Split ISE Deployments
In the case of split ISE deployments, you still maintain a primary and secondary server as described in the small-sized ISE deployment, but the AAA load is split between the two ISE servers to optimize the AAA workflow. Each ISE server (primary or secondary) handles the full workload if there is a problem with AAA connectivity, but during normal operations neither server carries the full load of handling authentication, authorization, and accounting requests because this workload is distributed between them.
Supporting the capability for splitting the server load reduces the stress on each ISE server in the system, which provides better loading and still maintains the functional status of the secondary server through normal operations.
Another advantage is that each server can still perform specific operations, such as device administration or network admission, but it can still perform all the AAA functions in the event of a failure. Having two ISE servers processing authentication requests and collecting accounting data from AAA clients, Cisco recommends that you set up one of the ISE servers to act as a log collector. Figure 1-2 shows the secondary ISE server in this role as log collector.
Figure 1-2 Split ISE Network Deployment
This design also provides an advantage in that it also allows for growth as shown in Figure 1-3.
Medium ISE Network Deployments
As small, local networks grow in size, you can keep pace and manage network growth by adding some additional ISE servers to create a medium network supporting between 500 and 1000 concurrent users. In medium network deployments, it might be advantageous to consider promoting one ISE server to perform as the primary to handle all the configuration services, and using secondary ISE servers for managing all of your AAA functions.
As the amount of log traffic increases in the network, you can choose to either use the primary ISE server as your centralized log collector or dedicate one of the secondary ISE servers to serve in this capacity for your network.
Figure 1-3 Medium ISE Network Deployment
Large ISE Network Deployments
Cisco recommends using centralized logging (as shown in Figure 1-4) for large ISE networks supporting 1000 to 5000 concurrent users. Centralized logging requires setting up a dedicated-logging server that serves as an M&T server in response to the potentially high syslog traffic that a large, busy network can generate. Because syslog messages are generated for outbound log traffic, any RFC-3164-compliant syslog server can serve as the collector for outbound logging traffic.
A dedicated logging server enables you to use the reports and alert features available in ISE to support all of the ISE servers. See Running the Setup Program, page 5-2 when configuring the ISE system software to support a dedicated logging server. You can also consider having the servers send logs to both an M&T server and a generic syslog server. Adding a generic syslog server provides a redundant backup if the M&T server goes down.
In large centralized networks, you should use a load balancer as shown in Figure 1-4, which simplifies the deployment of AAA clients. This requires only a single entry for the AAA servers with the load balancer optimizing the routing of AAA requests to the available servers.
However, having only a single load balancer introduces the potential for having a single point of failure. So, to avoid this potential issue you should deploy two load balancers to ensure a measure of redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client and this configuration remains consistent throughout the network.
Figure 1-4 Large ISE Network Deployment
Dispersed ISE Network Deployments
Dispersed ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports servers and users in different geographical regions or distant locations.
To optimize AAA performance, each remote site should have its own AAA infrastructure (as shown in Figure 1-5). Using a centralized management model helps maintain a consistent, synchronized AAA policy and with a centralized-configuration, uses a primary ISE server with secondary ISE servers and using a separate M&T server is still recommended. However, each remote location should still retain their own unique network requirements.
Figure 1-5 Dispersed ISE Deployment
Some factors to consider when planning a network having a number of remote sites include:
•Verify whether there is a central or external database in use (Active Directory or LDAP). For optimizing the process, each remote site should have a synchronized instance of the external database available for ISE to access.
•Locating the AAA clients is also a major consideration. You should locate your ISE servers as close as possible to the AAA clients to reduce network latency effects and the potential for loss of access caused by WAN failures.
•ISE has console access for some functions, such as backup. Consider using a terminal at each site. This allows for direct secure console access bypassing network access to each server.
•If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, you may consider using an ISE server in a nearby site as a backup server for the local site to provide a type of redundancy.
•DNS should be properly configured on all ISE nodes to ensure access to the external databases.
Understanding Setting Up an ISE Server
This section briefly describes the roles of various ISE servers and how to configure them. For more information on assigning a role to a server and configuring it, see the User Guide for the Cisco Identity Services Engine, Release 1.0.
This section contains:
The installation procedure is similar for any ISE server.
See Chapter 5, "Configuring the Cisco ISE-3300 Series Hardware and System Software." for installing ISE with the ISE-3300 series appliance or Chapter 6, "Installing ISE-3300 System Software in a VMware Virtual Machine" for installing ISE on a VMware ESX server.
Note For any ISE network deployment, it is required that your first hardware appliance installation be performed on the node designated as the primary server in your network.
Primary Server
In an ISE deployment, there can only be one instance that serves as an ISE primary node or server. This primary node is the server that provides configuration capabilities and is the source for all replication operations.
On an ISE primary server, you can set up all the system configurations that are required for an ISE deployment. However you must configure licenses and local certificates individually for each of the secondary ISE servers in your network environment.
Secondary Server
Because there is only one single primary ISE instance in the network, all other ISE instances function as secondary servers. ISE secondary servers receive all the system configurations from the primary server except that you need to configure the following on each secondary server:
•License—Install a unique base license for each of the ISE secondary servers in the deployment. If you intend your deployment plan to be a large ISE network, install the large deployment license on each of the secondary servers.
•New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server onto each secondary server.
•Logging server—You can configure either the primary server or the secondary server to serve as the dedicated logging server for your ISE network. Cisco recommends that you configure a secondary ISE server as the dedicated logging server.
The secondary server must be activated to join the ISE network environment. The administrator can either activate a secondary server or set up the automatic activation. By default, the activation is set as Automatic. Once the secondary server is activated, it starts receiving the full synchronization of the configuration and replication updates from the primary server in the network.
Logging Server
You can configure to use either a primary server or one of the secondary servers as the dedicated logging server for your network. In this role, the logging server receives logs from the primary server and all the secondary servers deployed in the ISE network. Cisco recommends that you designate one of the ISE secondary servers as the M&T server and exclude this particular secondary server from any of the AAA activities. The three main logging categories that are captured are:
•Audit
•Accounting
•Diagnostics
For a complete description that provides more details on logging categories and best practices for configuring the logging server, see Chapter 15, Setting Up ISE in a Distributed Environment in the User Guide for the Cisco Identity Services Engine, Release 1.0.