This entry in our Cisco ISE blog series begins our exploration into ISE itself. Up to this point, we have been digging into the details of the 802.1X network authentication use case and mostly referencing to Cisco ISE as the RADIUS authentication server. Now that you (hopefully) have a good understanding of where ISE fits into an 802.1X network authentication use case, we will begin to explore the bits and pieces that comprise a Cisco ISE deployment and how to choose the deployment model that meets the requirements of your own environment.
Cisco has prescribed a few different t-shirt sizes…err uh, deployment models that are supported; small, medium, and large. As you can guess from the names, the scale requirements of your environment will be the most important factor when determining which ISE deployment model is best for you. There are various scaling factors to consider when selecting your deployment model and these are all based on the use case for the ISE deployment (802.1X, VPN, BYOD, MDM, PassiveID, AAA, etc..). Since all of our blog entries thus far have pertained to 802.1X, we’ll reference that use case as an example. The primary factor in selecting your deployments scale requirement for an 802.1X use case is how many active network sessions (RADIUS sessions) are required to be supported. See the table below.
|
Deployment Model |
Number of ISE Nodes |
Use Case |
Maximum RADIUS Sessions |
|
Small |
minimum 1 - maximum 2 |
802.1X |
20,000 (same as Medium) |
|
Medium |
minimum 3 - maximum 7 |
802.1X |
20,000 (same as Small) |
|
Large |
minimum 5 - maximum 54 |
802.1X |
500,000 |
Now, you’re probably wondering why you would choose a medium deployment over a small deployment at this point. Good question! This leads to the second most important factor in determining which model is right for you, and this factor has nothing to do with scale and everything to do with network topology / failure scenarios. With the medium vs. small deployment, you have more nodes that can be deployed (up to 7 – see table above), giving you more flexibility to drop a node in at a mission critical site[s] as needed to support the types of failure scenarios required for your deployment. Similarly, you may choose a large deployment vs. a medium simply because you desire a local ISE node at every one of your 10 sites, even though 20,000 sessions would be more than enough.
As mentioned above, the first gating factor in determining what type of ISE deployment is appropriate for you is understanding how many RADIUS sessions are required to be supported. So how do you determine this number? For most organizations, the following formula is a great starting point when wired and wireless 802.1X is in scope.
Access Switch Ports + (Users x 2) + Guests = RADIUS Sessions
Where:
Let’s try it out. We will imagine we are preparing for an ISE deployment with an 802.1X use case for wired and wireless as well as supporting a ISE Central Web Authentication guest network. We’ll pretend we have 40 wired access switches, each with 48 ports. We’ll imagine we have 1,500 users and expect no more than 100 guests to be connected at any given time.
Our variables get populated as follows:
Using our formula, we can understand the number of RADIUS sessions our deployment needs to support.
1,920 + (1,500 x 2) + 100 = 5,020 RADIUS Sessions!
Armed with this information, you can now see that any of the ISE deployment models will work for the scale requirements of the 802.1X use case! So, should we choose the small model? Maybe…but not certainly. In this case, we will need to better understand our topology/failure scenario requirements in order to select the appropriate deployment model.
To better understand the decision process here, we will start with a brief overview of the three main (and required) ISE application roles (AKA personas) in an ISE deployment. The ISE nodes on which these personas run, determine whether you are running a small, medium, or large deployment. There are other personas available in the ISE application, but they are optional, and as such we will not dig into them at this point.
|
Three Required ISE Personas |
|
|
Administration Nodes (PAN) |
Every ISE deployment must have a minimum of 1 and maximum of 2 ISE nodes running the administration persona. As the name suggests, this is the “single pane of glass” (I just threw up a little bit) for all administration, monitoring, and operation of the ISE deployment. When you have two of these personas present in your deployment, one is primary (active) and one is secondary (standby). |
|
Monitoring Nodes (MnT) |
Every ISE deployment must have a minimum of 1 and maximum of 2 ISE nodes running the monitoring persona. These nodes collect, process, and store ALL of the logging information for the deployment. The policy service persona sends all of the logs relating to network authentication/ authorization activity to the monitoring persona. The administration persona pulls the log information from the monitoring persona as needed when an administrator is performing operational auditing on the administration persona. As with the administration persona, when you have two monitoring personas present in your deployment, one is primary (active) and one is secondary (standby). |
|
Policy Services Nodes (PSN) |
The policy service persona is the work horse of the ISE deployment. These nodes process all of the authentication requests coming from the infrastructure (access switches, firewalls, wireless LAN controllers, etc..). Every deployment must have a minimum of 1 policy service node. The small deployment can have a maximum of 2 policy service nodes. The medium can have a maximum of 5 policy service nodes. The large can have a maximum of 50 policy service nodes. |
In a small deployment you may have 2 total ISE nodes, both of which run all of the three required ISE personas. See below for an example of a small ISE deployment. Both nodes will likely be placed in data center locations and likely communicate with the campus/branch networks over a WAN (wide area network)for all authentication services. This would mean that a failure of the WAN would result in a loss of authentication service for those sites affected.
In a medium deployment you may have 7 total ISE nodes. Two nodes will run both the PAN and MnT personas and up to 5 nodes will run as dedicated PSN personas. See below for an example of a medium ISE deployment. The PAN/MnT nodes will likely be placed in data center locations. In this model we have freed the PSN’s to reside at any network location of your choosing. Some PSN’s could be placed alongside the PAN/MnT in the data center, while some could be placed at critical campus/branch office locations. This would allow for those critical campus/branch office locations authentications to survive in the event of a WAN failure.
In a large deployment you may have 54 total ISE nodes. Two nodes will run the PAN persona, 2 nodes will run the MnT persona, and up to 50 nodes will run as dedicated PSN personas. See below for an example of a large ISE deployment. The PAN/MnT nodes will likely be placed in data center locations. In this model we have freed the PSN’s to reside at any network location of your choosing and dramatically increase the scale/flexibility of the deployment. Some PSN’s could be placed alongside the PAN/MnT in the data center as a pool front-ended with a load balancer, while some could be placed at critical campus/branch office locations. This would allow for those critical campus/branch office locations authentications to survive in the event of a WAN failure. The use of load balancers, however not required, allows you to achieve greater scale while maintaining simplified network device configurations as each network device can point to two load balancer VIPs as the RADIUS servers while many, many more ISE policy service nodes reside behind the load balancers.
A Cisco Identity Services Engine (ISE) node is an application server that can be installed as an appliance (completely self-contained…no external software necessary to run ISE) on bare metal server (Cisco’s Secure Network Server), or as a virtual machine on VMware, Hyper-V, or KVM. Whether you run dedicated ISE personas (as with the large deployment) or combined personas (as with the small/medium deployments), the same Cisco ISE software appliance will be deployed. The role or persona it takes on will be determined based on how you configure it.
You can see how Cisco ISE deployments can be right-sized to fit your deployment needs by scaling from very small (1 or 2 nodes) to humongous (54 nodes). Hopefully this has shed some light on the key considerations involved when determining which Cisco ISE deployment model is best suited for your needs. The following flow chart can be a quick reference to help you make your Cisco ISE deployment model selection easier for an 802.1X use case.
Now that we’ve selected our deployment model, we now understand how many ISE nodes we will need, but how should they be licensed? In the next entry in our Cisco ISE series, we’ll take a quick look at my favorite topic (and I’m sure yours as well), Cisco ISE licensing!
Written By: Dominic Zeni, LookingPoint Consulting Services SME - CCIE #26686
If you are interested in LookingPoint installing ISE into your network, feel free to contact us here!