Hi Charlie, thanks for the response. I want to stay with an officially supported deployment. If I want to keep the small deployment (Admin/MnT/PSN shared on two nodes), do you see any issues by not having a PSN in country Y and instead having all the radius traffic coming back to the nodes in country X? The latency is not too bad over the mpls ~120-140ms. 

Or the other option would be to go for the hybrid deployment. Two nodes for Admin/MnT and a dedicated PSN in country X and another dedicated PSN in country Y.

Also not sure if local DC is there in the other country.

I agree with Charlie. We have a medium/large deployment and have successfully deployed to multiple international locations with latency up to 250 ms. 300 ms is the same time we used when planning. We have ran 2 upgrades and multiple patches and they have all worked even over relatively low bandwidth (10 Mbps). You can also use Cisco Live slide decks for planning purposes.

---

@Charlie Moreton wrote:

Having a Small ISE Deployment (Admin/MnT/PSN shared on two nodes) with an additional PSN is not an officially supported deployment scenario.
Having said that, what you are proposing works. There are customers who have a separate PSN in other countries with no issues, they use either the Medium or Large Network Deployments for this. See the link below for the supported deployment types.

There are other factors, too. Do you have an authentication server in the other country (Active Directory Domain Controller, for example) in case the link goes down?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html

---

agree with the guys here @Alex Pfeil @Madura Malwatte 

also check out BRKSEC-3432 https://cs.co/ise-training

Hi All, thanks for the replies. 

So it comes down to two options. Do you see any issues going with option 1? Country Y have only have an office with 50-80 users.

Hi @Jason Kunst @Charlie Moreton any comments regarding the two options?