3 Replies Latest reply: Jan 4, 2018 9:55 AM by jakunst RSS

ISE Deployment Options Supporting TACACS+

chunhwon

Hi Team,

 

My customer has deployed an ISE cluster with two PAN, four PSN and 10k license for NAC and posture, only 7k license consummated today.

 

They are planning to migrate TACACS+ function from ACS to ISE with two deployment options:

1.) Setup a new ISE cluster with two nodes dedicated for TACACS+

2.) Add two ISE PSN nodes joining to existing cluster, these two PSN nodes dedicated for TACACS+

 

Just wonder

  • For 1.) is it possible to rehost some base license to the new cluster?
  • What’s the pros and cons of these two options?
  • For both options does it require at least two R-ISE-VM-K9= license?

Many thanks,

CH

 

  • 1. Re: ISE Deployment Options Supporting TACACS+
    jakunst

    Unless customer is requiring a separate deployment for device admin vs user auth I would recommend using the same cluster and adding in needed nodes if required

     

    There is no way to migrate a base license from one deployment to another without working through sales and possibly product management to split up licensing

     

    Device admin requires at minimum 100 Base licenses to enable the system and then adding the device admin license to the deployment

     

    All VMs in the system are required to be licensed as well with vm license

     

    Please look at the Community posts for more information

     

  • 2. Re: ISE Deployment Options Supporting TACACS+
    chunhwon

    Hi Jason,

     

    Thanks for your reply. Let me elaborate the current setup:

     

    ISE running 2.1

    2 x ISE node running both PAN and MnT in VM with 600GB disk

    4 x ISE node running PSN in physical appliance, primarily for NAC and posture checking for 8,000 endpoints

     

    Customer is planning to migrate TACACS+ (including authentication, authorisation and accounting) from ACS to ISE for 1,000 network devices.

     

    Some questions in my mind:

    1.) can we add another two ISE node running as PSN dedicated for TACACS? So total 6 x PSN nodes in this cluster. However based on the link below, it seems that PANMnT on the same node (Unified mode) only support up to 5 x PSN.

    2.) if only 5 x PSN is allowed, then we need to separate PAN and MnT that each persona run on dedicated ISE node. Is it correct?

    3.) regarding to log retention, it’s required to keep TACACS+ log for at least 1 year. Since MnT disk is shared for user auth and device admin log, can we assign disk space for TACACS+ log? If not, what’s the best practice?

    4.) Based on the link below and MnT log sizing calculator, as there is 1,000 network devices by human admin, assuming 600G hard disk,50 sessions per day and 100 commands/session and 10 admins in total, it can support log retention to 661 days. Anything missing or I need to take into consideration?

     

    https://communities.cisco.com/docs/DOC-68347#jive_content_id_Human_admin__Device_admin_model

     

     

     

    Many thanks,

    CH

  • 3. Re: ISE Deployment Options Supporting TACACS+
    jakunst

    Some questions in my mind:

    1.) can we add another two ISE node running as PSN dedicated for TACACS? So total 6 x PSN nodes in this cluster. However based on the link below, it seems that PANMnT on the same node (Unified mode) only support up to 5 x PSN.

    CORRECT but do you requires separate PSNs? Do they want the functions isolated? Maybe your solution will support fine without expansion?

     

    2.) if only 5 x PSN is allowed, then we need to separate PAN and MnT that each persona run on dedicated ISE node. Is it correct?

    YES see - Cisco Identity Services Engine Installation Guide, Release 2.3 - Network Deployments in Cisco ISE [Cisco Identity Servi…

    3.) regarding to log retention, it’s required to keep TACACS+ log for at least 1 year. Since MnT disk is shared for user auth and device admin log, can we assign disk space for TACACS+ log? If not, what’s the best practice?

    Best practice would be to offload to something like Splunk

    ISE is not meant as a long term repository

     

    4.) Based on the link below and MnT log sizing calculator, as there is 1,000 network devices by human admin, assuming 600G hard disk,50 sessions per day and 100 commands/session and 10 admins in total, it can support log retention to 661 days. Anything missing or I need to take into consideration?

    Sounds right