ISE Node is Physical device or VM running installed ISE software
- There are four major collections of ISE services that are categorized into personas.
- These personas are responsible for different functions within ISE architecture.
- You can collect them in a single node or distribute them across multiple nodes.
The four Personas are :
This is the control Center, your user interface for licensing and policy configuration.
[if personas distributed in different nodes , we call it Admin node and will push out configurations out to other nodes] , PAN = Policy Administration Node
[Create config on it then it will Push config to PSN]
Policy Service persona:
The policy decision engine processes all ISE related network messaging: DHCP, CDP, NetFlow and RADIUS. It is the RADIUS server for NADs
[if personas distributed in different nodes , we call it Policy Service node = PSN ]
[Carry the config and act as AAA server , passive ID , SXP , Tacacs+ server]
Is the engine for collecting and correlating logs and report data.
It generates reports and alarms for the ISE system.
[if personas distributed in different nodes , we call it Monitoring node] , MnT = Monitoring & Troubleshooting Node
It will enable the sharing of contextual-based information from ISE session directory to other network systems such as ASA.
You can use pxGrid framework to exchange policy and configuration data between nodes.
This data include sharing tags & policy objects between ISE and thrid party vendors for non-ISE related information exchanges such as threat information.
An extra license is required for pxGrid services.
How to Implement Nodes , Personas and Roles?
- Single Node Deployment
By default when we install ISE , it work in this deployment type.
All personas run on single ISE node.
The disadvantage is the lack of fault tolerance and limited scalability.
Support max 2000 endpoints.
- Four Node Deployment [distributed deployment.]
This type provide fault tolerance and scalability.
Introduced the concept of Role.
For Redundancy :
The primary role for Admin persona = Primary Administration Node (PAN)
A secondary role for Admin persona
Cisco Required to minimize inter-node communication overhead to make sure primary admin [PAN] and monitoring personas [MnT] run on the same node.
There is no concept of primary and secondary role for Policy service persona.
But you can have more than one node running Policy service persona.
Policy service persona plays the role of RADIUS server for NADs.
Inside NAD you can configure higher priority to use which Policy service node.
In any ISE deployment, we must have at least one Admin node.
we can have one primary in one node and another secondary in another node.
ISE supports automatic failover between them.
Policy Service Node
Policy Service nodes make a real-time policy-based decisions and convey the polices directly to the NADs for policy enforcement.
Remember, The Admin Role governs policy and the endpoint attributes that it has acquired.
Policy Service node support runtime use cases such as user and endpoint access while other nodes support administrative, monitoring or troubleshooting use cases.
ISE deployment can have more than one Policy service nodes.
If administration and monitoring personas run of the same node or pair of nodes ,
we can have up to 5 Policy service nodes.
If administration and monitoring personas installed independently on their own nodes , we can have up to 50 Policy service nodes.
Each ISE Deployment need at least one Monitoring node.
You can deploy a second for fault tolerance,
in this case, both Active and Standby nodes will collect log messages,
each PSN forwards information to both nodes since monitoring nodes do not synchronize with each other.
Monitoring Node can forward the logged information to external databases which can act as sources for accounting and security related information that is useful as evidence and forensic data.
Any Connect Apex
This extra license you will need (with ISE Apex as well )when using AnyConnect for posture instead of Temporal agent.
So you will buy two :ISE Apex & AnyConnect Apex licenses
You need VM license only if your ISE is ova (VM).
You can have a mixed environment: ISE physical nodes and ISE VM nodes together .