cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1382
Views
0
Helpful
3
Replies

ISE Deployment Options Supporting TACACS+

chunhwon
Cisco Employee
Cisco Employee

Hi Team,

My customer has deployed an ISE cluster with two PAN, four PSN and 10k license for NAC and posture, only 7k license consummated today.

They are planning to migrate TACACS+ function from ACS to ISE with two deployment options:

1.) Setup a new ISE cluster with two nodes dedicated for TACACS+

2.) Add two ISE PSN nodes joining to existing cluster, these two PSN nodes dedicated for TACACS+

Just wonder

  • For 1.) is it possible to rehost some base license to the new cluster?
  • What’s the pros and cons of these two options?
  • For both options does it require at least two R-ISE-VM-K9= license?

Many thanks,

CH

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Unless customer is requiring a separate deployment for device admin vs user auth I would recommend using the same cluster and adding in needed nodes if required

There is no way to migrate a base license from one deployment to another without working through sales and possibly product management to split up licensing

Device admin requires at minimum 100 Base licenses to enable the system and then adding the device admin license to the deployment

All VMs in the system are required to be licensed as well with vm license

Please look at the Community posts for more information

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

Unless customer is requiring a separate deployment for device admin vs user auth I would recommend using the same cluster and adding in needed nodes if required

There is no way to migrate a base license from one deployment to another without working through sales and possibly product management to split up licensing

Device admin requires at minimum 100 Base licenses to enable the system and then adding the device admin license to the deployment

All VMs in the system are required to be licensed as well with vm license

Please look at the Community posts for more information

Hi Jason,

Thanks for your reply. Let me elaborate the current setup:

ISE running 2.1

2 x ISE node running both PAN and MnT in VM with 600GB disk

4 x ISE node running PSN in physical appliance, primarily for NAC and posture checking for 8,000 endpoints

Customer is planning to migrate TACACS+ (including authentication, authorisation and accounting) from ACS to ISE for 1,000 network devices.

Some questions in my mind:

1.) can we add another two ISE node running as PSN dedicated for TACACS? So total 6 x PSN nodes in this cluster. However based on the link below, it seems that PANMnT on the same node (Unified mode) only support up to 5 x PSN.

2.) if only 5 x PSN is allowed, then we need to separate PAN and MnT that each persona run on dedicated ISE node. Is it correct?

3.) regarding to log retention, it’s required to keep TACACS+ log for at least 1 year. Since MnT disk is shared for user auth and device admin log, can we assign disk space for TACACS+ log? If not, what’s the best practice?

4.) Based on the link below and MnT log sizing calculator, as there is 1,000 network devices by human admin, assuming 600G hard disk,50 sessions per day and 100 commands/session and 10 admins in total, it can support log retention to 661 days. Anything missing or I need to take into consideration?

https://communities.cisco.com/docs/DOC-68347#jive_content_id_Human_admin__Device_admin_model

Many thanks,

CH

Some questions in my mind:

1.) can we add another two ISE node running as PSN dedicated for TACACS? So total 6 x PSN nodes in this cluster. However based on the link below, it seems that PANMnT on the same node (Unified mode) only support up to 5 x PSN.

CORRECT but do you requires separate PSNs? Do they want the functions isolated? Maybe your solution will support fine without expansion?

2.) if only 5 x PSN is allowed, then we need to separate PAN and MnT that each persona run on dedicated ISE node. Is it correct?

YES see - Cisco Identity Services Engine Installation Guide, Release 2.3 - Network Deployments in Cisco ISE [Cisco Identity Servi…

3.) regarding to log retention, it’s required to keep TACACS+ log for at least 1 year. Since MnT disk is shared for user auth and device admin log, can we assign disk space for TACACS+ log? If not, what’s the best practice?

Best practice would be to offload to something like Splunk

ISE is not meant as a long term repository

4.) Based on the link below and MnT log sizing calculator, as there is 1,000 network devices by human admin, assuming 600G hard disk,50 sessions per day and 100 commands/session and 10 admins in total, it can support log retention to 661 days. Anything missing or I need to take into consideration?

Sounds right

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: