Downloads |
 Feedback
|
Table Of Contents
Understanding the ISE Server Deployment
Medium ISE Network Deployments
Dispersed ISE Network Deployments
Understanding Setting Up an ISE Server
Understanding the ISE Server Deployment
This chapter provides an overview of possible Cisco Identity Services Engine (ISE) server deployments, the components involved, and contains the following sections:
•
Understanding Setting Up an ISE Server
Deployment Scenarios
This section describes three scenarios in which ISE might be deployed in a distributed deployment:
•
•
•
We need a table that defines network sizes based on concurrent users, number of supported sessions, number of endpoints, volume of traffic, number of servers, is HA part of this equation, and/or some other means that describe what constitutes a small, medium, or large network.
This chapter needs input and technical information from TMEs, DEV, and other teams to make it Beta ready.
To set up Cisco ISE in a distributed environment, ISE provides various services based on the role that the server will play and you can configure a single or multiple roles for each ISE instance. An ISE instance can perform one or more of the following roles:
•
All configuration changes are replicated to the secondary ISE server nodes that you can add to the deployment through the primary PAP. PAP can function as a primary, secondary, or standalone server (standalone PAP servers are not considered part of the deployment). You can have more than one PAP, but there can only be a single primary PAP in your deployed system. All other PAP servers are designated as secondary in your deployment.•
•
•
An M&T node aggregates and correlates data that it collects and provides you with meaningful information in the form of reports. ISE allows you to have two M&T instances configured in an active-standby pair in a high availability mode. Both the active and standby M&T instances will collect log messages. In this mode, if the active M&T node goes down the standby M&T node automatically becomes the active node and performs that role.
Note
Once the ISE installation has been completed, you must configure one of your Cisco ISE instances as the primary PAP. You can edit the primary PAP and enable any service that you want to run on the primary. You can register the secondary PAP servers and edit their configuration profiles using the primary PAP's UI. After you install a secondary PAP server, ISE immediately creates a database link between the primary and the secondary server for replicating and synchronizing all changes.
In addition, you can remove a node from the deployment using a two-step process. You must first deregister the node, and then secondly, delete it from the deployment. When you deregister a node from the primary, the deregistered node's status changes to Standalone.
Any connection between the primary and the secondary server is lost, which means that no replication updates are sent to the Standby node. However, the deregistered secondary node still displays in the primary PAP's UI. To remove the node, you must delete it after you have deregistered it. To register a deregistered node back with the PAP, you must first reset the database configuration on the node and bring it back to a freshly installed node state and then register it again.
For more information on ISE server services, refer to the User Guide for the Cisco Identity Services Engine, Release 1.0. For more information on resetting the configuration of a node, refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.
Small ISE Network Deployments
The smallest and most basic ISE deployment consists of two ISE servers as shown in Figure 1-1, with one ISE server functioning as the primary server in a small network supporting less than 500 concurrent users. The primary server provides all of the configuration, authentication, and policy capabilities required for this network model.
The second ISE server functions in a backup role supporting the primary server and maintaining a functioning network whenever connectivity is lost between secondary network servers, network resources, or RADIUS (where it performs centralized authentication, authorization, and accounting) clients and the primary ISE server. A key requirement is to ensure that you synchronize or replicate the content of the primary ISE server with the secondary ISE server.
The purpose for this is to keep the secondary server current with state of the primary server. In a small-sized network deployment, this configuration model allows you to configure your primary and secondary servers on all RADIUS clients using a similar approach.
Note
Figure 1-1 Small ISE Network Deployment
As the number of devices, network resources, users, and AAA clients increases in your network environment, Cisco recommends changing your deployment configuration from the basic small-sized model and using more of a split or distributed deployment model as shown in Figure 1-2.
Split ISE Deployments
In the case of split ISE deployments, you still maintain a primary and secondary server as described in the small-sized ISE deployment, but the AAA load is split between the two ISE servers to optimize the AAA workflow. Each ISE server (primary or secondary) handles the full workload if there is a problem with AAA connectivity, but during normal operations neither server carries the full load of handling authentication, authorization, and accounting requests because this workload is distributed between them.
Supporting the capability for splitting the server load reduces the stress on each ISE server in the system, which provides better loading and still maintains the functional status of the secondary server through normal operations.
Another advantage is that each server can still perform specific operations, such as device administration or network admission, but it can still perform all the AAA functions in the event of a failure. Having two ISE servers processing authentication requests and collecting accounting data from AAA clients, Cisco recommends that you set up one of the ISE servers to act as a log collector. Figure 1-2 shows the secondary ISE server in this role as log collector.
Figure 1-2 Split ISE Network Deployment
This design also provides an advantage in that it also allows for growth as shown in Figure 1-3.
Medium ISE Network Deployments
As small, local networks grow in size, you can keep pace and manage network growth by adding some additional ISE servers to create a medium network supporting between 500 and 1000 concurrent users. In medium network deployments, it might be advantageous to consider promoting one ISE server to perform as the primary to handle all the configuration services, and using secondary ISE servers for managing all of your AAA functions.
As the amount of log traffic increases in the network, you can choose to either use the primary ISE server as your centralized log collector or dedicate one of the secondary ISE servers to serve in this capacity for your network.
Figure 1-3 Medium ISE Network Deployment
Large ISE Network Deployments
Cisco recommends using centralized logging (as shown in Figure 1-4) for large ISE networks supporting 1000 to 5000 concurrent users. Centralized logging requires setting up a dedicated-logging server that serves as an M&T server in response to the potentially high syslog traffic that a large, busy network can generate. Because syslog messages are generated for outbound log traffic, any RFC-3164-compliant syslog server can serve as the collector for outbound logging traffic.
A dedicated logging server enables you to use the reports and alert features available in ISE to support all of the ISE servers. See Running the Setup Program, page 5-2 when configuring the ISE system software to support a dedicated logging server. You can also consider having the servers send logs to both an M&T server and a generic syslog server. Adding a generic syslog server provides a redundant backup if the M&T server goes down.
In large centralized networks, you should use a load balancer as shown in Figure 1-4, which simplifies the deployment of AAA clients. This requires only a single entry for the AAA servers with the load balancer optimizing the routing of AAA requests to the available servers.
However, having only a single load balancer introduces the potential for having a single point of failure. So, to avoid this potential issue you should deploy two load balancers to ensure a measure of redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client and this configuration remains consistent throughout the network.
Figure 1-4 Large ISE Network Deployment
Dispersed ISE Network Deployments
Dispersed ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports servers and users in different geographical regions or distant locations.
To optimize AAA performance, each remote site should have its own AAA infrastructure (as shown in Figure 1-5). Using a centralized management model helps maintain a consistent, synchronized AAA policy and with a centralized-configuration, uses a primary ISE server with secondary ISE servers and using a separate M&T server is still recommended. However, each remote location should still retain their own unique network requirements.
Figure 1-5 Dispersed ISE Deployment
Some factors to consider when planning a network having a number of remote sites include:
•
•
•
•
•
Understanding Setting Up an ISE Server
This section briefly describes the roles of various ISE servers and how to configure them. For more information on assigning a role to a server and configuring it, see the User Guide for the Cisco Identity Services Engine, Release 1.0.
This section contains:
The installation procedure is similar for any ISE server.
See Chapter 5, "Configuring the Cisco ISE-3300 Series Hardware and System Software." for installing ISE with the ISE-3300 series appliance or Chapter 6, "Installing ISE-3300 System Software in a VMware Virtual Machine" for installing ISE on a VMware ESX server.
Note
Primary Server
In an ISE deployment, there can only be one instance that serves as an ISE primary node or server. This primary node is the server that provides configuration capabilities and is the source for all replication operations.
On an ISE primary server, you can set up all the system configurations that are required for an ISE deployment. However you must configure licenses and local certificates individually for each of the secondary ISE servers in your network environment.
Secondary Server
Because there is only one single primary ISE instance in the network, all other ISE instances function as secondary servers. ISE secondary servers receive all the system configurations from the primary server except that you need to configure the following on each secondary server:
•
•
•
The secondary server must be activated to join the ISE network environment. The administrator can either activate a secondary server or set up the automatic activation. By default, the activation is set as Automatic. Once the secondary server is activated, it starts receiving the full synchronization of the configuration and replication updates from the primary server in the network.
Logging Server
You can configure to use either a primary server or one of the secondary servers as the dedicated logging server for your network. In this role, the logging server receives logs from the primary server and all the secondary servers deployed in the ISE network. Cisco recommends that you designate one of the ISE secondary servers as the M&T server and exclude this particular secondary server from any of the AAA activities. The three main logging categories that are captured are:
•
•
•
For a complete description that provides more details on logging categories and best practices for configuring the logging server, see Chapter 15, Setting Up ISE in a Distributed Environment in the User Guide for the Cisco Identity Services Engine, Release 1.0.
