Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1263
Views
1
Helpful
3
Replies

TACACS deployment Question

Go to solution
meetneelesh79
Level 1
Level 1

‎03-14-2017 09:25 AM

Team,

I am implementing TACACs using ISE in customer environment. I have question related to TACACs use cases Following are the details of deployment

1. ISE version 2.0 with patch 4

2. Total 8 ISE VMs - 2 Admins, 2 MNTs and 4 PSN at respective locations -- All VMs configured with 3495 resources)

3 Total endpoints across all the locations - 20000 ( approx 5000 endpoints per location)

4 Use case - BYOD, dot1x, Guest, PXGRID and TACACS

5 Total network devices - 400 ( switchs+ASA+Routers)  - Not much daily login on network devices

Question:

Can I enable TACACS service on every PSN and use every PSN locally for TACACS authentication for network devices? Will it impact ISE cluster with respect to CPU, Memory? Will it impact radius authentication?

Cisco recommends dedicated ISE nodes or separate ISE cluster or dedicate one of the PSNs with no load for radius traffic.

Thanks,

Neelesh Marathe

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-14-2017 09:33 AM

Neelesh,

Where do you see our recommendation for separate resources for TACACS+?

We have our ISE TACACS+ Deployment & Sizing Guidance which explains the pros and cons of each option but we do not have a single recommended way to deploy.

The deployment choice is up to you - and the customer - depending on what design factors and concerns are most important to you.

Of course enabling and using TACACS+ along with RADIUS will have an impact but exactly how much depends on the scale of usage. For this, also see ISE Performance & Scale.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-14-2017 09:33 AM

Neelesh,

Where do you see our recommendation for separate resources for TACACS+?

We have our ISE TACACS+ Deployment & Sizing Guidance which explains the pros and cons of each option but we do not have a single recommended way to deploy.

The deployment choice is up to you - and the customer - depending on what design factors and concerns are most important to you.

Of course enabling and using TACACS+ along with RADIUS will have an impact but exactly how much depends on the scale of usage. For this, also see ISE Performance & Scale.

0 Helpful

Go to solution
meetneelesh79
Level 1
Level 1
In response to thomas

‎03-14-2017 09:46 AM

Hello Thomas,

Thanks for your quick response. I might have used the wrong word "seperate" I meant to say Dedicated ISE deployments"

Thanks,

Neelesh Marathe

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to meetneelesh79

‎03-14-2017 10:30 AM

Separate and Dedicated imply the same thing.  8-)

My point is we dont have a single recommendation for how to do it because people may have different goals.

We support all 3 options!

0 Helpful
Customers Also Viewed These Support Documents