Brksec 3432 PDF

#CLMEL
Advanced ISE
Architect, Design and Scale ISE for
your production networks
Jason Kunst @nacbot

Technical Marketing Engineer
BRKSEC-3432
cs.co/BRKSEC-3432
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-3432
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Session Abstract
• In today’s world of constant attacks, malware and Ransomware, its important to design, deploy and manage
your network with an identity aware secure access platform. Cisco ISE is plays an architectural role for many
security solutions and is also one of the main pillars in the overall Cisco’s Software defined Access
Architecture.
• This session will show you how to deliver scalable and highly available access control services using ISE for
wired, wireless, and VPN from a single campus to a global deployment. Methodologies for increasing
scalability and redundancy will be covered such as load distribution with and without load balancers, optimal
profiling design, lessons learned from the trenches, as well as serviceability tips and tricks to help you gain
optimal value and productivity from ISE.
• Attendees of this session will gain knowledge on how to best design ISE to ensure peak operational
performance, stability, and to support large volumes of authentication activity. Various deployment
architectures will be discussed including ISE platform selection, sizing, and network placement. Cisco ISE
also enables cross-platform network system collaboration across your IT infrastructure by using pxGrid to
monitor security, detect threats, and set network policy. Manage assets, configuration, identity, and access.
The session will go through such deployment considerations and common architectures.
#CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
ISE 2.6 Updates
• Hot off the press! Gathering new information daily!
#CLMEL Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
UPDATE! @Live Melbourne 2019
Tuesday Wednesday Friday
TECSEC-2723 BRKSEC-2721 BRKSEC-3690
Architectural Approach to Security in the Zero-Trust Model: A Model for More Advanced Security Group Tags: The
Enterprise Network, Data Centre and Cloud Efficient Security Detailed Walk Through
Jeffrey Fanelli, Brenden Buresh, Rob Tappenden, Aaron Woland Darrin Miller
Jatin Sachdeva Wednesday 4:30PM-6:00PM Friday 8:00AM-9:30AM
Tuesday 2:15PM-3:45PM
BRKSEC-3383
ISE Troubleshooting
Thursday Shrikant Sundaresh
Friday 9:40AM-11:10AM
BRKSEC-3432
Wednesday Advanced ISE – Architect, Design and
Scale ISE for your production networks
BRKSEC-2203 Jason Kunst
Segmentation in SD-Access and Beyond
Kevin Regan
Thursday 08:30-10:30 You Are Here
Wednesday 12:50PM-2:20PM
BRKSEC-2069
BRKSEC-2725
Meraki Integrations with the Cisco
Are Your Endpoints/IOT Assets Safe?
Security Architecture
Krishnan Thiruvengadam
Joseph Aronow
Wednesday 2:30PM-4:00PM
Thursday 4:30PM-6:00PM
#CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
A bit about your Speaker
• Jason Kunst
• Technical Marketing Engineer at Cisco
Systems.
• 13 Years with Cisco Systems
• Focus on Enterprise Security Products
• Cisco Taekwondo 10 years
STEAK
BANK
#CLMEL BRKSEC-3432
ORMOND!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SYDNEY 2019
PARIS
LONDON-BERLIN
MeLBOURNE 2019
Cisco Community VIP
Damien Miller
https://community.cisco.com/t5/cisco-cafe-blogs/cisco-community-designated-vip-class-of-2019/ba-p/3779405
https://community.cisco.com/t5/custom/page/page-id/cisco-designated-vips
Please fill out the survey
Thanks to the Nidhi Pandey Krishnan Thiruvengadam
following individuals Technical Marketing Engineer Technical Marketing Engineer
…& the entire Cisco SPA Team
BRKSEC-2721 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
U
D P D
R
E YouL take the blue pillW– the story ends, you walkR out of E
S E O
this
R room and believe whatever P want to believe. V
you
I B F I
E O E
G A I C
A D C S A
N U L E
U I E T P
T I
T R R U
H N R
E R
H
E C Remember,
This is your lastallchance.
M
A
I'mT
I
A
E U
G E C
H
G
N
T
T
I offeringBis the
After this, theretruth F
I
–
is no T
H
I A
I
O S
I
C N nothing
turning more.
back. C
A
O
R B T
N
I
A T 1999 I Y R
- The Matrix, N
T 8 I
E S O A
G
I 0 S
S A D T
2 E I
O
. You take the red pill – you stay Tin this room, O
N I
1 and I show you how deep the rabbit hole goes. N
X O
Important: Hidden Slide Alert
Look for this “For Your Reference” Symbol

in your PDF’s
For Your
Reference
There is a tremendous amount of hidden
content, for you to use later!
cs.co/BRKSEC-3432
~600 +/- Slides in

Session Reference PDF
Available on ciscolive.com
• ISE Design
Agenda • Sizing Deployments and Nodes
• Bandwidth and Latency
• Scaling ISE Services
• RADIUS, AD/LDAP, Passive ID, Guest, Web
Services, TACACS+
• Profiling and Database Replication
• MnT (Optimize Logging and Noise Suppression)
• High Availability
• Appliance Redundancy
• Admin, MnT, and pxGrid Nodes
• Certificate Services Redundancy
• PSN Redundancy with and without Load
Balancing
• NAD Fallback and Recovery
• Monitoring Load and System Health
Cisco ISE and Anyconnect
CISCO ISE SIEM, MDM, NBA, IPS, IPAM, etc.
WHO WHEN
Cisco ISE WHAT WHERE PxGRID
& APIs
HOW HEALTH
Context aware policy service, THREATS CVSS
to control access and threat Partner Eco System
ACCESS POLICY
across wired, wireless and
VPN networks FOR ENDPOINTS FOR NETWORK
WIRED WIRELESS VPN
Cisco Anyconnect
Supplicant for wired, wireless

and VPN access. Services
include: Posture assessment,
Malware protection, Web
security, MAC Security,
Network visibility and more.
Role-based Access Control | Guest Access | BYOD | Secure Access
Managing policy based on ‘Trust’
Connecting Trusted Devices to Trusted Services
CISCO IDENTITY SERVICES ENGINE
User-Groups Device-type
Cloud
Non-Trusted App / Services

Trusted App / Services
Trusted User
Cloud App A
Cloud App B
Server A
Server B
Partners
Location Posture
Trusted Asset ✓ ✕ ✓ ✓ ✓ ✓
On Prem
Trusted User ✕ ✓ ✓ ✓ ✓ ✕
Time Threats Partners ✕ ✕ ✓ ✓ ✕ ✕
Behavior Vulnerability
Software-Defined Segmentation, Location-Free App/Service

Improved Visibility and Decision
Service Access & Entitlement Access
Introducing Cisco Identity Services Engine
A centralized security solution that automates context-aware access to

network resources and shares contextual data
Physical Identity Profiling Role-Based Policy Access Network Resources

or VM and Posture
Traditional Cisco TrustSec®
Who
Network What Guest Access

Door
When
BYOD Access
Where
Role-Based Access
How
ISE pxGrid
 Compliant Controller
Secure Access
Context
ISE 2.4 is the recommendation
Long-term (LTR) “suggested release”
• https://community.cisco.com/t5/security-blogs/announcing-the-quot-suggested- • https://www.cisco.com/c/en/us/products/collateral/security/identity-services-
release-quot-status-of-ise-2-4/ba-p/3775587 engine/bulletin-c25-740738.html
SNS-36xx appliances
What are we solving?
• Increased endpoint capacity per
appliance and deployment
• UCS M4 Feb 2019 End Of Sale
How do we solve it?
• New appliances based on UCS M5
Prerequisites
• Must be running ISE 2.6
• http://cs.co/ise-feedback
SNS-36xx Specifications (requires 2.6)
SNS-3615 SNS-3655 SNS-3695
Endpoints supported in a standalone 10,000 25,000 50,000
configuration
Endpoints supported per Policy Services Node 10,000 50,000 100,000
Processor Intel Xeon 2.10 GHz Intel Xeon 2.10 GHz 4116 Intel Xeon 2.10 GHz 4116
4110
Cores per Processor 8 12 12
Memory 32GB 96GB 256GB
Hard Disk 1 600GB, 6Gb SAS 10K 4 600GB, 6Gb SAS 10K 8 600GB, 6Gb SAS 10K
RPM RPM RPM
Hardware RAID No Level 10 Level 10
Power Supplies 1 x 770W 2 X 770W 2 X 770W

Session Agenda
ISE Design You Are Here
MnT (Optimize Logging

and Noise Suppression)
TACACS+ Design and

Compliance Services: Scaling
PassiveID & Guest and Web Auth Posture and MDM
AD and LDAP Easy Connect Profiling & DB
Radius, WebAuth Replication
Profiling, TACACS+
ISE Design Monitoring Load and

High Availability System Health Summary
Scaling ISE Services
Platforms ISE Appliance

Hardware and VM’s Redundancy PSN Load Balancing
Sizing Deployments
Bandwidth and Latency Node Redundancy
and Nodes NAD Fallback and
Admin, MnT and pxGrid Recovery
ISE Design
ISE Terminology
ISE deployment options
STANDALONE ISE Policy Services Node (PSN) MULTI-NODE ISE
- Makes policy decisions
- RADIUS / TACACS+ Servers
Policy Administration Node (PAN)

- Single plane of glass for ISE admin
- Replication hub for all database config changes
Network
Monitoring and Troubleshooting Node (MnT)
- Reporting and logging node
- Syslog collector from ISE Nodes
pXGrid Controller
- Facilitates sharing of context
Single Node (Virtual / Appliance) Multiple Nodes (Virtual / Appliance)

Up to 50,000 concurrent endpoints Up to 500,000 (2M DOT1X/MAB) concurrent endpoints
SNS-36xx appliances scale and orderability
* - Orders placed prior to targeted availability will be on new product hold until targeted availability
Policy Administration Node (PAN) For Your
Reference
Writeable Access to the Database
• Interface to configure and view PAN

policies External
ID
Administration AD/LDAP Store
• Responsible for policy sync across
all PSNs and secondary PAN
• Provides:
• Licensing
• Admin authentication & authorization
• Admin audit
• Each ISE deployment must have at least

one PAN
• Only 1x Primary and 1x Secondary (Backup)
PAN possible
Policy Service Node (PSN) For Your
Reference
RADIUS/TACACS+ Server for the Network Devices
• Per policy decision, responsible for: • Directly communicates to external

• Network access (AAA/RADIUS services) identity stores for user authentication
• Device Admin (TACACS+) • Provides GUI for sponsors, agent
• Posture download, guests access, device
• BYOD / MDM services registration, and device on-boarding
• Guest access (web portals)
• Each ISE deployment must have one
• Client Provisioning
or more PSNs (max 50)
• Profiling
• Web Auth
• Posture/MDM
• Client Provisioning AD/LDAP/
ODBC/
RADIUS
External
ID
Store
RADIUS/TACACS+/
Profiling
PSN
NAD
Policy Synchronization For Your
Reference
• Changes made via Primary PAN DB are automatically synced to

Secondary PAN and all PSNs. PAN
(Secondary)
PSN
Policy Sync
Policy Change Policy Sync

Admin PSN
User
PAN
(Primary)
PSN
• Guest account creation
Policy Sync
• Device Profile update
PSN
Network Access Device (NAD) For Your
Reference
Also Known as the ‘RADIUS Client’ (or ‘TACACS+ Client’)
• Major Secure Access component that enforces network policies.

• NAD sends request to the PSN for implementing authorization decisions for
resources.
• Common enforcement mechanisms:
NADs
• VLAN Assignment/VRF
• dACLs & named ACLs
• Scalable Group Tags (SGT)
• Basic NAD types (including 3rd party)

• Cisco Catalyst Switches
• Cisco Wireless LAN Controllers
• Cisco ASA & FTD for VPN
pxGrid Controller (PXG) For Your
Reference
Context Data Sharing
• Enabled as pxGrid persona

• Max 2 nodes
• Control Plane to register Publisher/Subscriber topics
• Authorize and setup pxGrid

client communications
• pxGrid Clients subscribe to
published topics of interest
• ISE 1.X: ISE is only controller
and publisher; 2.0 supports other publishers;
2.4 supports ISE as a subscriber (Profiler probe)
• MnT publishes Session Directory
Monitoring and Troubleshooting Node (MnT)
Logging and Reporting
For Your
Reference
• MnT node receives logging from PAN, PSN, NAD (RADIUS & TACACS)
• Each ISE deployment must have at least one MnT
• Max 1x Primary and 1x Secondary (Backup) MnT possible
PAN
Syslog
Syslog from access devices are
correlated with user/device session
MnT
PSN
Syslog from firewall is correlated Syslog from other ISE nodes are
with guest access session sent to monitoring node for reporting
ISE Platforms For Your
Reference
• Single ISE node (Appliance or VM) can run

PAN, MnT, PSN, and pxGrid roles
simultaneously ESXi
KVM Virtual
Hyper-V Host
• For scaling beyond 50,000 endpoints, roles
will need to be dedicated and distributed
across multiple nodes
SNS 35xx/36xx or
Hardware Appliance
For Your
Reference
Monitoring and Troubleshooting Node
Dashboard
PAN
MnT
Monitoring and Troubleshooting Node For Your
Reference
Monitoring and Troubleshooting Tools For Your
Reference
Validate NAD configuration Capture traffic destined for ISE
……..0101111010000…
…..
Download debugs and support package Provide API for 3rd party applications
Session
Troubleshooting
Management
Change of
CRUD
Authorization
ISE Reporting For Your
Reference
Node Types
▪ Policy Administration Node (PAN)

– Interface to configure policies and manage ISE deployment
– Writeable access to the database
Can run in a
▪ Monitoring & Troubleshooting Node (MnT)
– Interface to reporting and logging
single host
– Destination for syslog from other ISE nodes and NADs
▪ Policy Service Node (PSN)

– Makes policy decisions
– RADIUS server & provides endpoint/user services
▪ pxGrid Controller
– Facilitates sharing of information between network systems
– Context In/Context-Out information exchange
Putting It All Together… For Your
Reference
Network Access Device Monitoring and Policy Service Node Policy Administration
Access-Layer Devices Troubleshooting The “Work-Horse”: RADIUS, Node: All Management UI Admin
Enforcement Point for all Logging and Profiling, WebAuth, Posture, Activities & synchronizing
Policy Reporting Data Sponsor Portal Client all ISE Nodes
Provisioning
NAD MnT PSN PAN PXG
Policy Sync
RADIUS from NAD to PSN Platform
eXchange Grid
Node: Share
RADIUS response from PSN to NAD PSN queries context in/out
User external database
RADIUS Accounting directly
Publish
syslog Config
Publish Sessions
ISE Node Personas = Functional Roles
Policy Administration Node Policy Service Node Monitoring and Network Access Device
All Management UI Activities RADIUS, Profiling, Web Auth, Troubleshooting Access-Layer Devices
Synchronizing all ISE Nodes Posture, Sponsor Portal, Client Logging and Enforcement Point for all
Provisioning Reporting Data Policy
PAN PSN NAD

MnT
SWITCHPORT
Admin
User All Policy is Synchronized
User
from PAN to PSNs
RADIUS From NAD to Policy Service Node
PSN Queries AD Directly
AD
RADIUS From PSN to NAD w/ Enforcement Result
RADIUS Accounting
Logging
Logging
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
ISE Policy Architecture For Your
Reference
For Your
Reference
ISE Design and Deployment Terms
• Persona Deployment
Standalone = All personas (Admin/MnT/pxGrid/Policy Service) located on same node
Distributed = Separation of one or more personas on different nodes
• Topological Deployment
Centralized = All nodes located in the same LAN/campus network
Distributed = One or more nodes located in different LANs/campus networks
separated by a WAN
Standalone Deployment
All Personas on a Single Node: PAN, PSN, MnT, pxGrid
• Maximum sessions – Platform dependent

➢ 7,500 for 3515
ISE Node
➢ 10,000 for 3615
➢ 20,000 for 3595 Policy Administration Node
➢ 25,000 for 3655
➢ 50,000 for 3695 Monitoring and Troubleshooting Node
Policy Service Node
pxGrid Node
Activity Time !
Basic 2-Node ISE Deployment (Redundant)
• Maximum sessions– 50,000 (platform dependent—same as standalone)
• Redundant sizing – 50,000 (platform dependent—same as standalone)
ISE Node ISE Node

Primary Secondary
Admin Admin
Primary Secondary
Monitoring Monitoring
Primary Secondary
pxGrid pxGrid
Controller Controller
Basic 2-Node ISE Deployment (Redundant) For Your
Reference
Maximum Sessions = 50,000 (Platform dependent) Centralized
Admin (P) Admin (S) PSN

PXG PXG
MnT (P) MnT (S)
PSN PSN
• All Services run on both ISE Nodes

AD/LDAP
(External ID/ • Set one for Primary Admin / Primary MnT
Campus A
Attribute Store) • Set other for Secondary Monitoring / Secondary Admin
• Max Sessions is platform dependent:
ASA VPN • 3515 = Max 7.5k sessions
w/ CoA
• 3615 = Max 10k sessions
WLC • 3595 = Max 20k sessions
802.1X Switch
AP 802.1X • 3655 = Max 25k sessions
• 3695 = Max 50k sessions
Branch B
Branch A
Switch Switch
AP 802.1X AP 802.1X
Hybrid-Distributed Deployment
Admin + MnT on Same Appliance; Policy Service on Dedicated Appliance
• 2 x Admin+Monitor+pxGRID
PAN PAN
• Max 5 PSNs MnT
MnT
• Optional: Dedicate 2 of the 5 for pxGrid PXG PXG
• Max sessions – Platform dependent

➢ 7,500 for 3515 as PAN+MnT
➢ 10,000 for 3615 as PAN+MnT
➢ 20,000 for 3595 as PAN+MNT PSN PSN PSN PSN PSN
➢ 25,000 for 3655 as PAN+MnT
➢ 50,000 for 3695 as PAN+MnT
Basic Hybrid-Distributed Deployment For Your
Reference
Maximum Sessions = 50,000 / Maximum 5 PSNs
Admin (P) Admin (S) Policy Services
MnT (P) MnT (S) Cluster Distributed Policy
Services
PSN PSN PSN
PSN PSN
AD/LDAP
(External ID/ AD/LDAP
Attribute Store) (External ID/
Data DC B Attribute Store)
Center A
WLC
ASA VPN 802.1X
w/ CoA
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X • Dedicated Management Appliances
• Primary Admin / Primary MnT
• Secondary MnT / Secondary Admin
Branch B
Branch A • Dedicated Policy Service Nodes—Up to 5 PSNs
• No more than 50,000 Sessions Supported
Switch Switch
802.1X 802.1X
• 3615 as Admin/MnT = Max 10k sessions
AP AP • 3655 as Admin/MnT = Max 25k sessions
• 3695 as Admin/MnT = Max 50k sessions
Dedicated-Distributed Persona Deployment
Dedicated Appliance for Each Persona: Admin, Monitoring, pxGrid, Policy
• 2 x Admin and 2 x Monitoring and up to 4 x pxGrid
Optional
• Max PSNs (Platform dependent)
➢ 50 using 3595/3655/3695 as PAN and MnT
• Max sessions (Platform dependent) PAN MnT PXG
➢ 500k using 3595/3655/3695 as PAN and MnT
➢ 2M - 3695 as PAN/MNT on ISE 2.6 (DOT1X/MAB
only)
PSNs
Fully Dedicated-Distributed Deployment For Your
Reference
Maximum Sessions = 500,000 (2M dot1x/mab ONLY) / Maximum 50 PSNs
Admin (P) Monitor (P) Policy Services Cluster Distributed Policy

Admin (S) Monitor (S) Services pxGrid (S)
PAN MnT PSN PSN PSN PSN
PAN MnT PSN PSN PXG
AD/LDAP
pxGrid (P) PXG (External ID/ AD/LDAP
Center A
WLC
ASA VPN 802.1X
w/ CoA
Switch
802.1X AP
WLC
802.1X Switch
802.1X
AP
•Redundant, dedicated Administration and Monitoring nodes split across
data centers (P=Primary / S=Secondary)
Branch A
Branch B •Policy Service cluster for Wired/Wireless services at main campus
•Distributed Policy Service clusters for DR sites or larger campuses with
higher-bandwidth, lower-latency interconnects.
AP
Switch
AP
Switch •Centralized PSN clusters for remote Wired/Wireless branch devices
802.1X 802.1X
•VPN/Wireless at main campus
Multi-Interface Routing For Your
Reference
Policy Services Cluster

Admin (P) Monitor (P) pxGrid (P) Distributed Policy
Admin (S) Monitor (S) Services pxGrid (S)
PAN MnT PSN PSN PSN PSN PXG
PAN MnT PSN PSN PXG
AD/LDAP
(External ID/ AD/LDAP
DNS NTP SMTP
Center A DNS NTP SMTP
WLC
802.1X
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X
Branch A
Branch B
Switch Switch
AP 802.1X AP
802.1X
For Your
Reference
Session Scaling by Deployment Model 35xx
Minimum Nodes (Redundancy Included) ISE <2.6
(18) SNS-3595
(10) SNS-3595 (4) PXG (optional)
(2) SNS-3515 (2) SNS-3595 (6) SNS-3595 (2) PXG (optional)
(2-5) PSNs (2-5) PSNs (2) PXG (optional)
(2) SNS-3515 (2) SNS-3595

PXG PXG
PXG PXG
0 7,500 20,000 40,000 200,000 500,000
For Your
Reference
Session Scaling by Deployment Model 36xx
Minimum Nodes (Redundancy Included) ISE 2.6
(9) SNS-3655 (24) SNS-3695
(2) SNS-3615 (2) SNS-3655 (2) SNS-3695 (6) SNS-3655 (2) PXG (optional) (4) PXG (optional)
(2-5) PSNs (2-5) PSNs (2-5) PSNs (2) PXG (optional)
(2) SNS-3615 (2) SNS-3655 (2) SNS-3695

PXG PXG PXG
PXG PXG PXG
0 10,000 25,000 50,000 100,000 500,000 2,000,000
Why design is Important
Data Center
Branch Office
Radius
PAN PAN
MnT MnT
PSN
PSN PSN
pxGrid pxGrid
Data Center A Data Center B
PAN (P) PAN (S)
MnT (S) MnT (S)
pxGrid pxGrid
PSN PSN PSN PSN
PSN PSN
Data Center A Data Center B
PAN (P) PAN (S)
MnT (S) MnT (S)
pxGrid pxGrid
PSN PSN PSN PSN
PSN PSN
Nodes and Personas
Deployment Models and
Sizing
Scaling ISE
ISE Scaling Improvements For Your
Reference
ISE 2.1-2.4
• Max concurrent active sessions per deployment = 500k (up from 250k)
• Requires PAN and MnT nodes to be 3595 or VM equivalent
• Max Internal Endpoints = 1.5M (up from 1M)
• Max Internal Users = 300k (up from 25k)
• Max Network Access Devices = 100k (up from 30k)
• Max Network Device Groups = 10k (up from 100) ISE 2.3+
• Max PSNs per deployment = 50 (up from 40)

• Increased scale based on deployment model (max sessions):
Standalone or PAN+MnT
Dedicated PSN
deployment
SNS-3515 7,500 7,500
SNS-3595 20,000 40,000
ISE Scaling Improvements For Your
Reference
ISE 2.6+ - community link
• Max concurrent active sessions per deployment = 2M (up from 500k)
• 2m only for DOT1x/MAB New in ISE 2.6
• Requires PAN/MnT nodes to be 3695 or VM equivalent
• Max Internal Endpoints = 2M (up from 1.5M) New in ISE 2.6
• Max Internal Users = 300k
• Max Network Access Devices = 100k
• Max Network Device Groups = 10k
• Max PSNs per deployment = 50 Increased scale based on deployment model (max sessions):
Standalone or PAN+MnT
Dedicated PSN
deployment
SNS-3615 10,000 10,000
SNS-3655 25,000 50,000
SNS-3695 50,000 BRKSEC-3432 100,000
Session Agenda
Sizing Deployment and Nodes You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Scaling by Deployment/Platform/Persona (35xx)
Max Concurrent Session Counts by Deployment Model and Platform For Your
Reference
• By Deployment
Max Active Sessions Max # Dedicated Min # Nodes (no HA) /
Deployment Model Platform
per Deployment PSNs / PXGs Max # Nodes (w/ HA)
Stand- All personas on 3515 7,500 0 1/2
alone same node 3595 20,000 0 1/2
PAN+MnT+PXG on 3515 as PAN+MNT 7,500 5 / 2* 2/7
Hybrid same node;
3595 as PAN+MNT
Dedicated PSN 20,000 5 / 2* 2/7
3595 as PAN and MNT 500,000 50 / 4 3 / 58
Dedicated PAN and
Dedicated 3595 as PAN and
MnT nodes
Large MNT 500,000 50 / 4 3 / 58
• By PSN Max Active Sessions != Max Endpoints; ISE 2.1-2.4 supports 1.5M Endpoints
Max Active Sessions per
Scaling per PSN Platform PSN *Each dedicated pxGrid node
reduces PSN count by 1
Dedicated Policy nodes SNS-3515 7,500
(Max Sessions Gated by Total (Medium deployment only)
Deployment Size) SNS-3595 40,000
Scaling by Deployment/Platform/Persona (36xx)
Max Concurrent Session Counts by Deployment Model/Platform 2.6 For Your
Reference
• By Deployment
Max Active Sessions Max # Dedicated Min # Nodes (no HA) /
per Deployment PSNs / PXGs Max # Nodes (w/ HA)
3615 10,000 0 1/2
Stand- All personas on
alone same node 3655 25,000 0 1/2
3695 50,000 0 1/2
PAN+MnT+PXG on 3615 as PAN+MNT 10,000 5 / 2* 2/7
Hybrid same node; 3655 as PAN+MNT 25,000 5 / 2* 2/7
Dedicated PSN 3695 as PAN+MNT 50,000 5 / 4* 2/7
Dedicated PAN and 3655 as PAN and MNT 500,000 50 / 4 3 / 58
Dedicated
MnT nodes 3695 as PAN & MNT 500k (2M RAD ONLY) 50 / 4 3 / 58
• By PSN Max Active Sessions != Max Endpoints; ISE 2.6+ supports 2M Endpoints (dot1x/mab ONLY)
Max Active Sessions per
Scaling per PSN Platform PSN *Each dedicated pxGrid node
reduces PSN count by 1
Dedicated Policy nodes SNS-3615 10,000
(Medium deployment only)
(Max Sessions Gated by Total SNS-3655 50,000
Deployment Size) SNS-3695 100,000
Policy Service Node Sizing
Physical and Virtual Appliance Guidance
• Max Sessions Per Appliance for Dedicated PSN

Form Platform Size Appliance Maximum General VM appliance sizing
Factor Sessions
guidance:
Small SNS-3515 7,500
Large SNS-3595 40,000 1) Select physical appliance
Physical Small SNS-3615 10,000 that meets required
Medium SNS-3655 50,000 persona and scaling
Large SNS-3695 100,000 requirements
Virtual S/M/L VM *7,500-100,000 2) Configure VM to match
or exceed the ISE physical
appliance specifications
SNS appliances have unique UDI from manufacturing. If use
general UCS appliance, then must deploy as VM 3) 2.6 required for SNS-36xx
scale
Appliance Hardware Specifications 34/35xx For Your
Reference
Basis for Virtual Appliance Sizing and Redundancy - 35xx required for 2.4
SNS-3500 Series
• ISE SNS Appliance Specifications
SNS-3415 SNS-3495 SNS-3515 SNS-3595
Platform
(34x5 Small) (34x5 Large) (35x5 Small) (35x5 Medium)
1 x QuadCore 2 x QuadCore 1 x 6-Core 1 x 8-Core
Intel Xeon CPU E5-2609 Intel Xeon CPU E5-2609 Intel Xeon CPU E5-2620 Intel Xeon CPU E5-2640
Processor
@ 2.40 GHz @ 2.40 GHz @ 2.30 GHz @ 2.60 GHz+20MB Cache
(4 total cores) (8 total cores) (6 total cores) (8 total cores)
Memory 16 GB 32 GB 16 GB 64 GB
1 x 600-GB 10k SAS HDD 2 x 600-GB 10k SAS HDDs 1 x 600-GB 10k SAS HDD 4 x 600-GB 10k SAS HDDs
Hard disk
(600 GB total disk space) (600 GB total disk space) (600 GB total disk space) (1.2 TB total disk space)
No (1GB FBWC Yes (RAID 10)
RAID No Yes (RAID 1)
Controller Cache) (1GB FBWC Cache)
2 x Integrated GE Ports 2 x Integrated GE Ports
Ethernet
4x Integrated Gigabit NICs 4 x Integrated Gigabit NICs 4x mLOM GE Ports 4x mLOM GE Ports
NICs
(6 total LAN ports) (6 total LAN ports)
Redundant
No (2nd PSU optional) Yes No (2nd PSU optional) Yes
Power?
Appliance Hardware Specifications 36xx For Your
Reference
Basis for Virtual Appliance Sizing and Redundancy – supports ISE 2.4+
SNS-3615 SNS-3655 SNS-3695
Platform
(36x5 Small) (36x5 Medium) (36x5 Large)
Intel Xeon CPU 4410 Intel Xeon CPU 4416 Intel Xeon CPU 4416
Processor @ 2.10 GHz @ 2.10 GHz @ 2.10 GHz
(8 total cores) (12 total cores) (12 total cores)
Memory 32 GB 96 GB 256 GB
8 x 600-GB, 6Gb 10k SAS
1 x 600-GB, 6Gb 10k SAS HDD 4 x 600-GB, 6Gb 10k SAS HDDs HDDs
Hard disk
(600 GB total disk space) (1200 GB total disk space) (2400G total disk space)
RAID No Level 10 Level 10

Ethernet 2x 10Gbase-T 2x 10Gbase-T 2x 10Gbase-T
NICs 4x 1GBase-T 4x 1GBase-T 4x 1GBase-T
1x 770W
Redundant Optional
2x 770W 2x 770W
Power? UCSC-PSU1-770W BRKSEC-3432
Session Agenda
Platforms – Hardware and VM’s You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Sizing Production VMs to Physical Appliances
Summary
Appliance used for sizing CPU Memory Physical Disk

comparison # Cores Clock Rate* (GB) (GB) **
SNS-3515 6 2.4 16 600
SNS-3595 8 2.6 64 1,200
SNS-3615 8 2.1 32 600
SNS-3655 12 2.1 96 1,200
SNS-3695 12 2.1 256 1,200/2,400
* Minimum VM processor clock rate = 2.0GHz per core (same as OVA).
** Actual disk requirement is dependent on persona(s) deployed and other factors. See slide on
Disk Sizing.
Warning: # Cores not always = # Logical processors / vCPUs due to Hyper Threading
*REQUIRED*
Configuring CPUs in VMware
• ESXi 5.x Example Configure CPU
based on cores.
If HT enabled,
logical CPUs
effectively
doubled, but #
physical cores is
same.
• ESXi 6.x Example
For Your
Reference
Setting Memory Allocations in VMware For Your
Reference
Guest VM Resource Reservations and Limits
• CPU Example • Memory Example
Set Reservation to
Minimum VM appliance Optionally set CPU allocation limit Similar settings apply to Max
specs to ensure required >= Min ISE VM specs to prevent Allocation and Min Reservations for
CPU resources available over-allocation when actual CPU Memory.
and not shared with other assigned exceeds ISE VM
VMs. requirements.
Setting CPU and Memory Allocations in VMware
Guest VM Resource Reservations and Limits
For Your
Reference
•
4
Set Reservation to Minimum VM
appliance specs to ensure required
CPU resources available and not
shared with other VMs.
“All Locked” is optional. It allows VM

to automatically adjust reservations
to Memory allocation setting.
Otherwise, changes to mem
Similar settings apply to Max Allocation and allocation require manual adjustment
Min Reservations for Memory. to reservations.
• “Eval” OVA for PoC/Lab testing up to 100 Endpoints (no resv), 8 gig min if using
dot1x/mab only
ISE OVA Templates • All 3xx5 templates reserve CPU and Memory and require hyperthreading
• If require more custom disk option, then deploy .iso
Summary • Disks up to 2.4TB supported for greater MnT storage – requires EFI BIOS in vmware
• ISE 2.6 required for 36xx specs
CPU Virtual Virtual Target

OVA Template Name Virtual
# Clock Rate Total CPU Memory NICs Node
ISE-[version]-virtual- Disk Size
Cores (GHz) (MHz) (GB) (GB) Type
eval.ova 2 2.0 4,000 8 4 200GB EVAL
200GB PSN/PXG
SNS3515-[disk].ova 6 2.0 12,000 16 6
600GB PAN/MnT
200GB PSN/PXG
SNS3595-[Disk].ova 8 2.0 16,000 64 6
1.2TB PAN/MnT
200GB PSN/PXG
SNS3615-[Disk].ova 8 2.0 16,000 32 6
600GB PAN/MnT
200GB PSN/PXG
SNS3655-[Disk].ova 12 2.0 24,000 96 6 1.2TB PAN/MnT
SNS3695-[Disk].ova 12 2.0 24,000 256 6 2.4TB PAN/MnT
Examples: Resource Reservations

• ISE-2.3.0.298-virtual-200GB-SNS3515.ova For Your
• ISE-2.4.0.357-virtual-SNS3515-Small-200GBHD-16GBRAM-12CPU.ova Reference
ISE 2.6 OVA Files
Reduced amount of files – using deployment options
OVA FileName Deployment Platform # of vCPUs Memory Disk Capacity

Options Profile (HT (GB) (GB)
enabled)
ISE-2.6.0.156-virtual-SNS3615-SNS3655- Eval eval 2 8 200

200.ova small sns3615 16 32
medium sns3655 24 96
ISE-2.6.0.156-virtual-SNS3615-SNS3655- Small sns3615 16 32 600
600.ova Medium sns3655 24 96
ISE-2.6.0.156-virtual-SNS3655-SNS3695- Medium sns3655 1,200
1200.ova 24 96
Large sns3695
24 256
ISE-2.6.0.156-virtual-SNS3695-2400.ova LARGE MNT sns3695 2,400
24 256
ISE now supports deployment options in OVA
ESX embedded UI has a bug with (doesn’t work with 2 options) 600, 1.2TB
Vcenter works for all OVA files
vCenter 6x with HTML5
ESXi embedded host client
https://kb.vmware.com/s/article/2150338 —
Supported functionality in the HTML5 vSphere
Client for vSphere 6.5 & vSphere 6.7 (2150338)
For Your
Reference
Because memory, max

sessions, and other table
spaces are based on
Why Do I Care? Persona and Platform
Profile
ISE Platform Properties For Your
Reference
Minimum VM Resource Allocation – OLD INFO
Minimum Minimum Minimum
Platform Profile
CPUs RAM Disk • Least Common
2 4 100 GB EVAL Denominator used to
set platform.
4 4 200GB IBM_SMALL_MEDIUM
4 4 200GB IBM_LARGE • Example:
4 cores
4 16 200GB UCS_SMALL 32GB RAM
8 32 200GB UCS_LARGE = UCS_SMALL
12 16 200GB SNS_3515
Assumes
16 64 200GB SNS_3595 HyperThreading
Enabled
16 256 200GB SNS_3595 <large>
Reference
How Does ISE Detect the Size of my Virtual Machine?
• During Installation, ISE checks # CPU cores, RAM, and Disk Space allocated and
assigns platform profile
• Profile recalculated if...
• Resources change (RAM/CPU cores)
• Persona changes on ISE (node-config.rc).
• Note: Disk size changes NEVER get updated in ISE without reimage.
• Persona change from ISE deployment page will trigger profile recalculation.
• May be out of sync due to upgrade of resources after initial install
• Migration from eval/PoC
• Resources added to meet version or capacity requirements
• Least Common
ISE Platform Properties Denominator used to
Minimum VM Resource Allocation for SNS35xx/36xx set platform.
Minimum Minimum Minimum • Example:
Platform Profile
CPUs RAM Disk 4 cores
2 16 200GB EVAL 16 GB RAM
= EVAL
12 16 200GB SNS_3515
35xx
16 64 200GB SNS_3595
16 256 200GB “Super MnT” <custom> More to come! On
2.4
16 32 200GB SNS_3615
36xx
24 96 200GB SNS_3655
24 256 200GB SNS_3695 • Small -3515 & 3615
• Medium - 3595 & 3695
35xx/36xx Newer platforms require
• Large - 3695
hyperthreading
ISE OVA Templates For Your
Reference
Vmware 6.5 support for ISE 2.4, 6.x supported for 2.6 OVAs
ISE OVA Templates For Your
Reference
Vmware 6.5
Platform.properties
For Your
Reference
Platform Detection and Sizing
Platform CPU CPU Total Assume Hyper- Total Logical
Slots Physical Threading Processors
Cores Enabled
SNS-3515 1 Intel Xeon E5-2620 6 Yes 12
SNS-3595 1 Intel Xeon E5-2640 8 Yes 16
SNS-3615 1 Intel Xeon 4110 8 Yes 16
EVAL < 16 GB & < 4 CPU cores
sns3515 (SNS-3515) >=16 GB RAM; >=12 CPU cores
sns3595 (SNS-3595) >=64 GB RAM; >=16 cores CPU
superMNT <custom> >=256 GB RAM; >=16 cores CPU
Platform Detection and Sizing For Your
Reference
Verify what ISE is seeing
• CPU
• # sh cpu
• Mem
• # sh mem
• Detected Platform
• # sh tech-support
PlatformProperties show inventory: Process Output:
Profile : UCS_SMALL
Current Memory Size : 15927532
ISE Platform Properties
Verify ISE Detects Proper VM Resource Allocation
• From CLI...
• ise-node/admin# show tech | begin PlatformProperties
UCS_SMALL
• From Admin UI (ISE 2.2 +)

• Operations > Reports > Reports >
Diagnostics > ISE Counters > [node]
(Under ISE Profile column)
Reference
Forcing ISE to Recognize New Resource Allocations
• From CLI...
• Requires TAC support to make changes
via root patch
• May be required if application server stuck
(cannot acceess Admin UI)
• From Admin UI...

• Administration > Deployment > [node]
• Toggle persona change
(Make change, save, then revert)
such as Device Admin or a service not
currently in user.
ISE Hypervisor Support For Your
Reference
• ISE 1.0+ VMware ESXi 5.x / 6.x
• ISE 2.0+ RHEL 7.0 or Ubuntu 14.04 LTS
• ISE 2.2+ MS Windows 2012 R2 or later
Note: NIC order normal if < 4 VM NICs.
ISE Virtual OS and NIC Support
OVAs have 4 NICs, so E1000 NICs used to
For Your avoid order confusion.
Reference
• ISE 2.0/2.1 Notes for VMware Virtual Appliance installs using ISO image
• VMware ESXi 5.x / 6.x (OVA recommended):
• Linux KVM • Choose Redhat Linux 7 (64-bit) (ISE 2.0.1+)
• Manually enter resource reservations
• ISE 2.2+
• VMware ESXi 5.x / 6.x Virtual Network Interfaces
• Linux KVM • Choose either E1000 or VMXNET3 (default)
• RHEL 7.0 or Ubuntu 14.04 LTS • ISE 2.0+ supports up to (6) Network Adapters
• Microsoft Hyper-V on 2012R2 or later • ESX Adapter Ordering Based on NIC Selection:
ADE-OS ISE E1000 VMXNET3
• ISE 2.6+
eth0 GE0 1 4
• Linux KVM RHEL 7.3
eth1 GE1 2 1
• Release notes & install guide eth2 GE2 3 2
eth3 GE3 4 3
Bootable USB: http://www.linuxliveusb.com/ eth4 GE4 5 5
eth5
#CLMEL
GE5
BRKSEC-3432
6 6
ISE VM Disk Storage Requirements For Your
Reference
Minimum Disk Sizes by Persona 2.x
• Upper range sets #days MnT log retention
• Min recommended disk for MnT = 600GB Persona Disk (GB)
Standalone 200+*
• Max hardware appliance disk size = 1.2TB
(3595/3655) 2.4TB (3695) Administration (PAN)
200-300**
Only
• Max virtual appliance disk size = 1.99TB (<2.6) Monitoring (MnT) Only 200+*
2.4TB (2.6) Policy Service (PSN)
200
** Variations depend on where backups saved or Only
upgrade files staged (local or repository), PAN + MnT 200+*
debug, local logging, and data retention PAN + MnT + PSN 200+*
requirements.
ISE VM Disk Storage Requirements For Your
Reference
• 2.0TB+ requires EFI (default is BIOS) – tested up to 2.4TB
VM Disk Allocation For Your
Reference
CSCvc57684 Incorrect MnT allocations if setup with VM
disk resized to larger without ISO re-image
• ISE OVAs prior to ISE 2.2 sized to

200GB. Often sufficient for PSNs or Accessible to
pxGrid nodes but not MnT. VM but not
Add
• Misconception: Just get bigger tank 400GB ISE
and ISE will grow into it!
VM disk
• No auto-resize of ISE partitions when
disk space added after initial software ISE Total ISE
install 200GB disk =
OVA 200GB
• Requires re-image using .iso
• Alternatively: Start with a larger OVA
MNT
MnT Node Log Storage Requirements for RADIUS For Your
Reference
Days Retention Based on # Endpoints and Disk Size (ISE 2.2+)

Total Disk Space Allocated to MnT Node
2400 GB
200 GB 400 GB 600 GB 1024 GB 2048 GB (2.6)
504 1007 1510 2577 5154 6665 ISE 2.2 = 50% days
5,000 increase over 2.0/2.1
Total Endpoints
10,000 252 504 755 1289 2577 3081

ISE 2.3 = 25-33%
25,000 101 202 302 516 1031 1233 increase over 2.2
50,000 51 101 151 258 516 617 ISE 2.4 = 40-60%
26 51 76 129 258 309 increase over 2.2
100,000
150,000 17 34 51 86 172 206
Assumptions:
200,000 13 26 38 65 129 155 • 10+ auths/day per
250,000 11 21 31 52 104 125 endpoint
500,000 6 11 16 26 52 63 • Log suppression
enabled
2M 1 2 4 6 12 14
• ~approzimations
Based on 60% allocation of MnT disk to RADIUS logging
(Prior to ISE 2.2, only 30%
#CLMEL
allocations)
For Your
Reference
MnT Node Log Storage Requirements for T+
Days Retention Based on # Managed Network Devices and Disk Size
Total Disk Space Allocated to MnT Node
200 GB 400 GB 600 GB 1024 GB 2048 GB 2400 GB
100 12,583 25,166 37,749 64,425 128,850 154,016 ISE 2.3+
optimizations do
500 2,517 5,034 7,550 12,885 25,770 30,804
not apply to T+
1,000 1,259 2,517 3,775 6,443 12,885 15,402 logging
Total NADs
5,000 252 504 755 1,289 2,577 3,081

Assumptions:
10,000 126 252 378 645 1,289 1,541
• Script runs
25,000 51 101 151 258 516 617 against all NADs
50,000 26 51 76 129 258 309 • 4 sessions/day
75,000 17 34 51 86 172 206 • 5 commands/
session
100,000 13 26 38 65 129 155
Based on 60% allocation of MnT disk to TACACS+ logging

(Prior to ISE 2.2, only 20%
#CLMEL allocations)
RADIUS and TACACS+ For Your
Reference
MnT Log Allocation
• Administration > System > Maintenance > Operational Data Purging
Total Log Allocation • 60% total disk allocated to both RADIUS and
TACACS+ for logging
RADIUS T+ 80% Purge (Previously fixed at 30% and 20%)
• Purge @ 80% (First In-First Out)
• Optional archive of CSV to repository
384 GB
M&T_PRIMARY
Radius : 67 GB
Days : 24
ISE VM Disk Provisioning Guidance
• Please! No Snapshots! IO Performance Requirements:
• Snapshots NOT supported; no option ➢ Read 300+ MB/sec
to quiesce database prior to snapshot.
➢ Write 50+ MB/sec
• VMotion supported but storage
motion not QA tested. Recommended disk/controller:
• Recommend avoid VMotion due to ➢ 10k RPM+ disk drives
snapshot restrictions. ➢ Supercharge with SSD !
• Thin Provisioning supported ➢ Caching RAID Controller
• Thick Provisioning highly recommended, especially for ➢ RAID mirroring
PAN and MnT) Slower writes using RAID 5*
• No specific storage media and file system
restrictions. *RAID performance levels:
http://www.datarecovery.net/articles/raid-level-
• For example, VMFS is not required and NFS allowed comparison.html
provided storage is supported by VMware and meets ISE http://docs.oracle.com/cd/E19658-01/820-4708-
IO performance requirements. 13/appendixa.html
ISE VM Provisioning Guidance
• Use reservations (built into OVAs)
• Do not oversubscribe!
Customers with VMware expertise may choose to
disable resource reservations and over-subscribe,
but do so at own risk.
ISE Disk IO Performance Testing For Your
Reference
Sample Tests With and Without RAID Controller Caching
• Caching Disabled
• Average Write ~ 25 MB/s
• Caching Enabled
• Average Write ~ 300 MB/s
• > 10x increase!
ISE Disk IO Performance Testing For Your
Reference
Sample Tests Using Different RAID Config and Provisioning Options
• 2x Write performance increase using Eager vs Lazy 0
• Note: IO performance equalizes once disk blocks written
• 5x Write performance increase using RAID 10 vs RAID 5
Write Perf ↑ Write Perf ↑ Write Perf ↑
RAID Config Read Write
over 1 over 2 over 3
1 RAID 5: 4-Disk Lazy Zero 697 MB/s 9 MB/s NA NA NA
2 RAID 5: 4-Disk Eager Zero 713 MB/s 16 MB/s 78% (~2x) NA NA
3 RAID 10: 4-Disk Eager Zero 636 MB/s 78 MB/s 767% (~10x) 388% (~5x) NA
4 RAID 10: 8-Disk Eager Zero 731 MB/s 167 MB/s 1756% (~20x) 944% (~10x) 114% (~2x)
Read Performance roughly the same Write Performance impact by RAID config
VM Appliance Resource Validation Before Install
For Your
Reference
Validate VM Readiness
BEFORE Install &
Deploy
VM Appliance Resource Validation During Install
For Your
Reference
VM Installation – Absolute Minimum Requirements
• ISE 2.x install will not
even proceed without:
• 4GB RAM
• 2 CPU Cores
• 100GB Disk
• Rec minimum 8GB RAM
& 200Gig Disk
• Absolute minimum
settings used for ~20
sessions in evaluation
setup only.
For Your
Reference
VM Appliance Resource Validation After Install
ISE continues to test I/O read/write performance on 3-hour intervals For Your
Reference
ise-psn2/admin# show tech | begin "disk IO perf"

Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 194 MB/second
Average I/O bandwidth reading from disk device: over 1024 MB/second
I/O bandwidth performance within supported guidelines
Disk I/O bandwidth filesystem test, writing 300 MB to /opt:
314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s
Disk I/O bandwidth filesystem read test, reading 300 MB from /opt:
314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s
Alarm generated if 24-hr average

below requirements
VM Appliance Resource Validation After Install
ISE continues to test I/O read/write performance on 3-hour intervals For Your
Reference
ise-psn2/admin# show tech | begin "disk IO perf"

Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 194 MB/second
Average I/O bandwidth reading from disk device: over 1024 MB/second
I/O bandwidth performance within supported guidelines
Disk I/O bandwidth filesystem test, writing 300 MB to /opt:
314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s
Disk I/O bandwidth filesystem read test, reading 300 MB from /opt:
314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s
Alarm generated if 24-hr average

below requirements
General ISE VM Configuration Guidelines For Your
Reference
Oversubscription of CPU, Memory, or Disk storage NOT recommended – All VMs should have 1:1
mapping between virtual hardware and physical hardware.
CPU: Map 1 VM vCPU core to 1 physical CPU core.
• Total CPU allocation should be based on physical CPU cores, not logical cores, but with HT enabled, you must
allocate double the # logical CPUs to ISE VM.
Memory: Sum of VM vRAM may not exceed total physical memory on the physical server.
• Additional 1 GB+ of physical RAM must be provisioned for hypervisor itself (this is to cover overhead to run
VMs). Refer to hypervisor release notes for actual requirements.
Disk: Map 1 GB of VM vDisk to 1 GB of physical storage.

• Additional disk space may be required for VMware operations including snapshots.
In general, OVAs help simplify install + reserve resources, but be aware of custom disk sizes and
CSCvh71644 – OVAs allocating only ½ required CPUs (OK in 2.4+)
Introducing “Super” MnT
For Any Deployment where High-Perf MnT Operations Required
Introducing “Super” MnT
For Any Deployment where High-Perf MnT Operations Required
• ISE 2.4 Virtual Appliance Only option MnT

• Requires Large VM License
• 3595 specs + 256 GB (3695 appliance/VM 2.6)
• 8 cores @ 2GHz min (16000+ MHz)
= 16 logical processors
• 256GB RAM
• Up to 2TB* disk w/ fast I/O
• Fast I/O Recommendations:
• Disk Drives (10k/15k RPM or SSD)
* CSCvb75235 - DOC ISE VM installation can't be
• Fast RAID w/Caching (ex: RAID 10) done if disk is greater than or equals to 2048 GB
• More disks (ex: 8 vs 4) or 2 TB, fixed in 2.6
ISE 2.4 MnT+ Fast Access to Logs and Reports
Live Logs / Live Sessions
Reports
ISE 2.4 MnT Vertical Scaling Scaling Enhancements
Benefits MnT
Faster Live Log Access on ALL ISE
•Run session directory tables from pinned memory platforms
•Tables optimized for faster queries
Faster Report & Export Performance

•Report related tables pinned into memory for faster retrieval.
•Optimize tables based on platform capabilities.
Collector Throughput improvement

•Added Multithreaded processing capability to collector.
•Increased collector socket buffer size to avoid packet drops.
Major Data Reduction

•Remove detailed BLOB data > 7 days old (beyond 2.3 reductions)
•Database optimizations resulting in up to 80% efficiencies
For Your
• Differentiated the data/columns into 2 parts. Reference
• --Details data, for short retention and is amounting around 80% of the MNT DB.
• --Reports data, for long term retention and is amounting to 20%.
• Normalized big tables, Radius auth/ Radius acc into multiple small tables as per the observed data patterns.
• Reduced redundant data volume by de-duplicating (sample data volume of 14 Million records reduced to 1k-
3k records in normalized tables).
• The data size got reduced by approximately 80% after Normalization/De-duplication.
• Tables with more recent data like live logs are pinned to memory.
• Tables containing frequently searched data like Endpoints, NADs and Auth data is also pinned to memory.
• Tables with details data has been separated and not pinned to memory.
• Purging has been removed for Endpoints, NADs etc.,
• Retaining max one week data of Radius Auth details.
Results
For Your
Scaling: Reference
• Normalisation and Deduplication helped to reduce data size drastically.
• With the separated main report data, we are able to store 20 times more than current data for same disk
usage.
• We are able to store 2 Million endpoints at least 4-6 months after the changes.
Performance:
• Search timings on the normalized tables improved from 10 min to 0.2 – 4 seconds, due to their small sized
tables(in kb and mb only)
• By reducing the data size more data is pinned to memory that improved overall performance.
• Time taken to generate report with NAD search resulted in 548409 records got reduced from 7 minutes to 3
seconds
• Time taken to generate report with Endpoint search resulted in 8 records got reduced from 8 minutes to 0.4
seconds
For Your
Reference
ISE 2.4 Super MnT
Scale Test Results/Observations
Scenarios Results Results Performance
(256GB RAM (256GB RAM Gain
+ 4 HDDs) + 8 HDDs)
Live Log: initial load of live log page 30 Sec 10 Sec 67%
Live Log : show 100 records within Last 3 hours 20 Sec 5 Sec 75%
Live Log with Filters: Identity (Scale) 55 Sec 25 Sec 55%
Live Log with Filters: (Network device name) 40 Sec 15 Sec 63%
Reports: single session Today Launch 42 Sec 5 Sec 88%
Reports: single session 30 Days Launch 180 Sec 75 Sec 58%
Session Agenda
Bandwidth and Latency You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Bandwidth and Latency
Bandwidth and Latency
• Bandwidth most critical between:
• PSNs and Primary PAN (DB Replication)
• PSNs and MnT (Audit Logging)
• Latency most critical between PSNs and Primary PAN.
PAN MnT PAN MnT PSN PSN
PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN
` PSN PSN
Starting in ISE RADIUS

2.1: 300ms
PSN PSN
Max round-trip PSN PSN
WLC Switch
(RT) latency
between any RADIUS generally requires much less bandwidth and is more tolerant of
higher latencies – Actual requirements based on many factors including
two ISE nodes # endpoints,
#CLMEL auth rate and protocols
Have I Told You My Story Over Latency Yet?
“Over Latency?” “No. I Don’t Think I’ll Ever Get Over Latency.”
• Latency guidance is not a “fall off the cliff” number, but a guard rail based on what QA has
tested.
• Not all customers have issues with > 300ms while others may have issues with <100ms latency
due to overall ISE design and deployment.
• Profiler config is primary determinant in replication requirements between PSNs and PAN
which translates to latency.
• When providing guidance, max 300ms roundtrip latency is the correct response
from SEs for their customers to design against.
What if Distributed PSNs > 300ms RTT Latency?
< 300 ms
> 300 ms
#CLMEL BRKSEC-3432 © 2019

© 2016 Cisco
Cisco and/or
and/or its its affiliates.
affiliates. AllAllrights
rightsreserved.
reserved. Cisco
CiscoPublic
Public 122
Option #1: Deploy Separate ISE Instances
Per-Instance Latency < 300ms
PAN MnT PAN MnT PSN PSN PAN MnT PAN M
WLC
PSN PSN PSN PSN PSN
PSN PSN PSN P
PSN PSN PSN PSN PSN PSN PSN
PSN PSN PSN PSN PSN PSN Switch PSN
RADIUS
PAN MnT P
PSN PSN
< 300 ms PSN PSN
PSN P
> 300 ms WLC Switch PSN PSN
PSN PSN
WLC Switch
#CLMEL BRKSEC-3432
Option #2: Centralize PSNs Where Latency < 300ms
For Your
Reference
RADIUS
Switch
RADIUS
< 300 ms
> 300 ms
Deploy Local Standalone ISE Nodes as “Standby”
Local Standalone nodes can be deployed to
remote locations to serve as local backups in
case of WAN failure, but will not be synced to
centralized deployment.
PSN
Switch
PSN
For Your
Reference
Access Devices Fallback to Local PSNs on WAN Failure
• Access Devices point to local ISE nodes as
tertiary RADIUS Servers.
• Backup nodes only used if WAN fails
• Standalone ISE Nodes can still log to
centralized MNT nodes.
-- Use TCP Syslog to Buffer logs
PSN
PSN
For Your
Reference
More on NAD Fallback and Recovery strategies
under the High Availability
#CLMEL section.
ISE Bandwidth Calculator (Single-Site) For Your
Reference
ISE 1.x
https://community.cisco.com/t
5/security-documents/ise-
latency-and-bandwidth-
calculators/ta-p/3641112
ISE Bandwidth Calculator – Updated for ISE 2.1+
ISE 2.x
Note:
Bandwidth
required for
RADIUS traffic
is not included.
Calculator is
focused on
inter-ISE node
bandwidth
requirements.
Available to customers @ https://community.cisco.com/t5/security-documents/ise-latency-and-

bandwidth-calculators/ta-p/3641112
ISE Bandwidth Calculator Assumptions For Your
Reference
• ISE Auth Suppression enabled
• Max round-trip latency between any two ISE
• Profiling Whitelist Filter enabled
nodes is currently set at 300ms
• One node group per location
• For Single-Site calculation, primary PAN and MnT nodes are deployed in primary DC to which
bandwidth is calculated; For Multi-Site calculation, primary PAN is deployed in primary DC.
• Mobile endpoints authenticate/reauthenticate as frequently as 10/hr and refresh IP 1/hr
• Non-Mobile endpoints authenticate/reauthenticate no more than once per Reauth Interval and
refresh IP address no more than once per DHCP renewal (1/2 Lease Period)
• Bandwidth required for NAD or Guest Activity logging is not included. These logging activities
are highly variable and should be treated separately based on deployment requirements.
• Bandwidth required for general RADIUS auth and accounting traffic is not included. RADIUS
traffic is generally less significant but actual requirement is highly contingent on multiple factors
including total active endpoints, reauth intervals, and the authentication protocols used.
• Deployments where all ISE nodes are deployed in one location are not considered by this
calculator. All nodes deployed in the same location are assumed to be connected by high-speed
LAN links (Gigabit Ethernet or higher)
Session Agenda
Scaling ISE Services You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Scaling ISE Services Agenda
• Active Directory and LDAP Integration
• Passive Identity and Easy Connect
• Guest and Web Authentication
• Compliance Services—Posture and MDM
• TACACS+ Design and Scaling
• Profiling and Database Replication
• MnT (Optimize Logging and Noise Suppression)
ISE Personas and Services Session Services includes base user
services such as RADIUS, Guest,
Enable Only What Is Needed !! Posture, MDM, BYOD/CA
• ISE Personas:
• PAN
• MNT
• PSN
• pxGrid
• PSN Services • Avoid unnecessary

• Session
overload of PSN
• Profiling
• TC-NAC
services
• ISE SXP • Some services should
• Device Admin be dedicated to one or
(TACACS+) more PSNs
• Passive Identity
(Easy Connect)
ISE Personas and Services For Your
Maximum Personas and PSN nodes running service Reference
Maximum
Persona / Service Comments
Nodes
PAN 2 Admin UI restricts to 2
MnT 2 Admin UI restricts to 2
pxGrid 4 Increased from 2 in ISE 2.4
PSN 50 Requires 3595/3655/3695
PAN/MnT
Session 50
Profiling 50 Typically enabled w/Session
TC-NAC 1 Admin UI restricts to 1
ISE SXP 4 Up to 2 SXPSN pairs
Device Admin (T+) 50 Typically 2 sufficient
Passive Identity Multiple 2+ recommended for WMI
Session Agenda
Radius, Web Auth, Profiling, TACACS You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Scaling RADIUS, Web, Profiling, and TACACS+ w/LB
• Policy Service nodes can be configured in a cluster behind a load balancer (LB).
• Access Devices send RADIUS and TACACS+ AAA requests to LB virtual IP.
PSNs (User
Services)
Load Balancing covered

under the High Availability Load Balancers
Section
Virtual IP
Network
VPN Access
Devices
Auth Policy Optimization (ISE 2.2 and Earlier) For Your
Reference
Leverage Policy Sets to Organize and Scale Policy Processing
Policy Set
Condition
Authentication
Authorization
Policy Sets
Administration > System > Settings > Policy Sets
BRKSEC-3432 #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Policy Sets For Your
Reference
Standard Equipment under new ISE 2.3 Policy User Interface
• No Authentication Outer Rule – Now part of Policy Set
Policy Set Condition Allowed Protocol Hit Counts

or RADIUS Proxy
23456
Auth Policy Optimization • Policy Logic:
Avoid Unnecessary External Store Lookups o First Match, Top Down
o Skip Rule on first negative condition
match
• More specific rules generally at top
• Try to place more “popular” rules
before less used rules.
Example of a Poor Rule: Employee_MDM For Your

• All lookups to External Policy and ID Stores Reference
performed first, then local profile match!
Auth Policy Optimization For Your
Reference
Rule Sequence and Condition Order is Important!
Example #1: Employee Example #2: Employee_CWA
1. Endpoint ID Group 1. Location (Network Device Group)
2. Authenticated using AD? 2. Web Authenticated?
3. Auth method/protocol 3. Authenticated via LDAP Store?
4. AD Group Lookup 4. LDAP Attribute Comparison
Auth Policy Policy Set
ISE 2.3 Example Condition
Authentication
Authorization
For Your
Reference
Auth Policy Policy Set
ISE 2.3 Example Condition
Authentication
For Your
Reference Authorization
• Nested Conditions
• “IS NOT” insertion
• Simplified Boolean
(AND/OR) logic
• Condition Library
with Drag & Drop
• Rule Hit Counts
• Policy Logic:
Auth Policy Optimization o First Match, Top Down
o Skip Rule on first negative match
ISE 2.3 Bad Example
• More specific rules generally at top
1. AD Groups
2. AD Attributes
For Your 3. MDM

Reference
4. Certificate
5. ID Group
6. SQL Attributes
7. Auth Method
8. Endpoint Profile
BRKSEC-3432
9. Location
Auth Policy Optimization For Your
Reference
ISE 2.3 Better Example!
Block 1 1. Location
2. Auth Method
Block 2 3. Endpoint Profile
4. AD Groups
Block 3
5. AD Attributes
6. ID Group
7. Certificate
Block 4
8. SQL Attributes
9. MDM
#CLMEL BRKSEC-3699
For Your
Reference
ISE 2.4+ Auth Policy Scale
• Max Policy Sets = 200

(up from 100 in 2.2)
• Max Authentication Rules = 1000

• Max Authorization Rules = 3000

• Max Authorization Profiles = 3200

(up from 1000 in 2.2)
Custom User Attributes For Your
Reference
New Attribute Types in ISE 2.2 include IP / Boolean / Date
Administration > Identity Management > Settings
Dynamic Variable Substitution For Your
Reference
Rule Reduction • Match conditions to unique values stored per-
User/Endpoint in internal or external ID stores (AD,
• Authorization Policy Conditions LDAP, SQL, etc)
• ISE supports custom User and Endpoint attributes
• Authorization Profile Conditions ID Store Attribute
Dynamic Variable Substitution - Example For Your
Reference
Define Custom User Attributes
Dynamic Variable Substitution - Example For Your
Reference
Populate Internal / External User External User:
AD / LDAP / SQL / OTP
Internal User:
Update via Import
or ERS API
Dynamic DACLs in Authorization Profile For Your
Reference
Per-User Policy in 1 rule
1. Populate attribute in
internal or external ID
store.
2. Reference attribute in
Authorization Profile
under dACL
Internal User example

External User example #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Dynamic VLANs in Authorization Profile For Your
Reference
Per-User/Endpoint Policy in Single Authorization Rule
• Set VLAN number

of name in unique
attribute in local or Dynamic attributes not currently supported under Common
external ID store. Tasks, so must use Advanced Attr. Settings
• Ex: AD1:postalcode
• VLAN value will be
retrieved and
replaced with
variable name:
Actual value will be based on lookup in AD1

for authenticated user ID.
Enable EAP-Fast Session Resume For Your
Reference
Major performance boost, but not complete auth so avoid excessive timeout value
Cache TLS Session Note: Both Server

and Client must be
configured for
Session Resume
PAC = Protected Authentication Credential

PACs used to establish Phase One TLS tunnel without certs.
Enable EAP Session Resume / Fast Reconnect
Major performance boost, but not complete auth so avoid excessive timeout value
For Your
Reference
Cache TLS (TLS Handshake Only/Skip Cert)

Cache TLS session
Note: Both Server
and Client must be
configured for Fast
Reconnect
Win 7 Supplicant
Skip inner method
#CLMEL
BRKSEC-3432
For Your
Reference
Stateless Session Resume for EAP-TLS
• EAP-TLS Session resumption allows the reuse of a recently valid TLS session ticket - improving performance
for clients making multiple requests. This improves performance from the clients’ perspective, because it
eliminates the need for a new (and time-consuming) TLS handshake to be conducted each time a request is
made.
• Cisco ISE supports session ticket extension as described in RFC 5077
• When Stateless resume is enabled in ISE it allows EAP-TLS session resumption without requiring the session
state to be stored at the server
• Cisco ISE creates a ticket and sends it to an EAP-TLS client. The client presents the ticket to ISE to resume a
session
• When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS
session and reauthenticates the user with TLS handshake only, without a certificate check.
• The Stateless session resumption is supported in the distributed deployment, so that a session ticket issued
by one node is accepted by another node.
ISE Stateless Session Resume For Your
Reference
Allows Session Resume Across All PSNs
• Session ticket extension per RFC 5077
[Transport Layer Security (TLS) Session Resumption without Server-Side State]
• ISE issues TLS client a session ticket that can be presented to any PSN to shortcut
reauth process (Default = Disabled)
Allows resume with
Load Balancers
Time until session

ticket expires
Policy > Policy Elements > Results > Authentication > Allowed Protocols
ISE 2.2 Stateless Session Resume For Your
Reference
Master Key Generation Period
• Master Key Generation Period = Time until new master key is regenerated.
Cancel all
previously
generated
master keys
and tickets
OTP Token Caching For Your
Reference
Password Caching for RSA SecureID and RADIUS Token Servers
• Allows re-use of
passcode for
specified interval.
• Per-PSN cache
—not replicated
across PSNs.
• Cache entry
deleted if pass-
word mismatch
• RFC 5077 Session Ticket Extension
supported
Administration > Identity Management > External Identity Stores
Machine Access Restrictions (MAR) Review For Your
Reference
Couples Machine + User Authentication
• MAR caches a Machine Authentication via Calling-Station-ID (MAC Address)

• User can be required to have existing cache entry to pass authorization.
• Susceptible to sync issues, especially if cache expires, requiring client restart
AD > Advance Settings
MAR Cache Persistence and Distribution For Your
Reference
Save MAR Cache After PSN Restart / Synchronize Cache Across PSNs
Administration > System > Deployment
• ISE 2.1 added MAR Cache

Persistence
➠ Store cache & persist
after node restart
• ISE 2.3 adds MAR
Cache Distribution
➠ Replicate cache across all
PSNs in same node group
• Configurable per-
Node Group
Session Agenda
AD and LDAP You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Scaling AD and LDAP
Integration
Scaling AD Integration w/ Sites & Services
How do I ensure Local PSN is connecting to Local AD controller?
Without Site & Services Properly Configured
Which AD
server should I
connect to?
I will connect
Which AD with local AD
server should I server X!
AD ‘X’
connect to?
AD ‘X’
Site ‘X’ Site ‘X’

Site ‘Y’ Site ‘Y’
I will connect
AD ‘Y’ with local AD AD ‘Y’
server Y
AD Sites and Services For Your
Reference
Links AD Domain Controllers to ISE Servers Based on IP Address
DNS and DC Locator Service work

together to return list of “closest”
Domain Controllers based on client
Site (IP address)
Multi–Forest Active Directory Support For Your
Reference
Scales AD Integration through Multiple Join Points and Optimized Lookups
✓ Join up to 50 Forests or Domains without mutual trusts
✓ No need for 2-way trust relationship between domains
✓ Advanced algorithms for dealing with identical ISE

usernames
✓ SID-Based Group Mapping
✓ PAP via MS-RPC
✓ Support for disjointed DNS namespace
domain-1.com domain-2.com domain-n.com

AD Authentication Flow
For Your
Identity Reference
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target AD
(Optional)
AD Authentication Flow
For Your
Reference
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target AD
(Optional)
Authentication Domains (Whitelisting) For Your
Reference
• “Whitelist” only the domains

of interest—those used for
authentication!
• In this example, the join point
can see many trusted
domains but we only care
about r1.dom
Enable r1.dom
And disable the rest
Authentication Domains – Unusable Domains
For Your
• Domains that are unusable, e.g. 1-way trusts, are hidden automatically Reference
• There’s an option to reveal these and see the reason
Run the AD Diagnostic Tool For Your
Reference
Check AD Joins at Install & Periodically to Verify Potential AD Connectivity Issues
• The DNS SRV errors can actually mean something else

• The response was too big…and retried with TCP, etc.
• A sniffer can confirm
• AD Sites or DNS configuration changes are required to get that optimized
AD Background Diagnostics
Schedule Periodic Testing to Verify AD Connectivity and Health
▪ AD diagnostic tests run in the background without interrupting user auth

▪ Scheduled to daily at 00:00, by default
▪ Alarm is fired if test fails
For Your
Reference
For Your
Reference
Validating DNS from ISE node CLI
• Checking SRV records for Global Controllers (GC)

psn/admin# nslookup _ldap._tcp.gc._msdcs.myADdomainName querytype SRV
• Checking SRV records for Domain Controllers (DC)

psn/admin# nslookup _ldap._tcp.dc._msdcs.myADdomainName querytype SRV
• More details on Microsoft AD DNS queries:

https://technet.microsoft.com/en-us/library/cc959323.aspx
Enhanced AD Domain Controller Management and Failover
Preferred DC Based on Scoring System
+27 +32
+11 +6
-30 -25
PAN MnT PAN MnT PSN PSN PAN MnT PAN M
PSN PSN PSN PSN PSN

PSN PSN PSN P
+67 X
Preference given to PAN MnT P
Lowest Score (scale PSN PSN
-100/+100) PSN
PSN PSN P
PSN PSN
X +58
PSN PSN
For Your
Reference #CLMEL BRKSEC-3432
ISE 2.4 DC Selection and Failover For Your
Reference
DC Scoring System Determines Priority List
• Scoring Rules
• DC with lowest score preferred
• Score range: -100 / +100
Scores and Scoring Events only
• System error: score +25
viewable in debug logs
• Timeout: score +10
• Slow CLDAP ping: score +1
• Successful CLDAP ping: score -1
• DC failover:
➢ Collect DCs that respond CLDAP ping during the limited time period after the first DC answered: first DC answer time +
200ms. All responded DCs will be stored and assigned an initial score or updated an existing score.
➢ If the DC site is different than the client site, run the per-site DNS query and repeat the DC discovery process as above.
➢ Select a DC with minimal score from the list of responded DCs
Per-PSN LDAP Servers For Your
Reference
• Assign unique
Primary and
Secondary to
each PSN
• Allows each PSN

to use local or
regional LDAP
Servers
Load Balancing For Your
Reference
LDAP Servers
Lookup1
Lookup2 = ldap.company.com
Response = 10.1.95.7
10.1.95.6
10.1.95.5
15 minute reconnect timer
ldap1.company.com
LDAP Query to 10.1.95.7
10.1.95.6
10.1.95.6
10.1.95.6
LDAP Response from 10.1.95.7
ldap2.company.com
PSN
10.1.95.7
ldap3.company.com
BRKSEC-2132 What’s new in ISE Active
AD Integration Best Practices Directory Connector
(CiscoLive.com/online) -Chris Murray
• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)
• Ensure NTP configured for all ISE nodes and AD servers
• Configure AD Sites and Services

(with ISE machine accounts configured for relevant Sites)
• Configure Authentication Domains (Whitelist domains used)
• Use UPN/fully qualified usernames when possible to expedite use lookups For Your
Reference
• Use AD indexed attributes* when possible to expedite attribute lookups
• Run Scheduled Diagnostics from ISE Admin interface to check for issues.
*Microsoft AD Indexed Attributes:

http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx
http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx
Scaling Passive Identity and
Easy Connect
Session Agenda
AD and LDAP You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Passive Identity / Easy Connect Architecture For Your
Reference
ISE 2.2 supports up to 100 AD MnT Standby

Domain Controllers MnT
WMI
PSN PSN AD Logins

MnT Active
MnT
Publish Session
AD Logins Topic to pxGrid
PSN
SXP PXG
Wired Switch RADIUS AAA CoA

User: jsmith
IP: 1.2.3.4 pxGrid Controller
Update SXP peers with
11:22:33:44:55:66 SGT mappings from
RADIUS + EZC
Cisco ASA
Easy Connect For Your
Reference
MAC IP
ISE Session Directory
Uname Profile Method Source SGT
Consuming Both AD and RADIUS Logins Identity
1.2.3.4 chyps
Mapping
Windows Event log
Identity
2.3.4.5 imbashir
IP Address Username Mapping
1.2.3.4 chyps 22:33:44:5 Samsung

3.4.5.6 hslai dot1x RADIUS 10
5:66:77 Galaxy
2.3.4.5 imbashir
33:44:55:6
5.6.7.8 zsariedd Apple-iPad mab RADIUS 20
6:77:88
44:55:66:7 Apple-
6.7.8.9 awoland dot1x RADIUS 10
7:88:99 anything
AD Logins WMI
AD Logins
PSN MnT
IdMap RADIUS Logins
SXP
Publish Session
Update SXP peers Topic to pxGrid
with SGT mappings
from RADIUS PXG
Cisco ASA
Easy Connect Enforcement MAC IP
ISE Session Directory
Uname Profile Method Source SGT
Merging RADIUS and AD Login Identity 00:11:22:3 Windows7- Dot1x Identity
Id Map-
1.2.3.4 chyps 10
3:44:55 WS +PsvID Mapping
RADIUS
• Merge active RADIUS Windows Event log 11:22:33:4 Windows 10 MAB Id Map-
Identity
2.3.4.5 imbashir 30
IP Address Username 4:55:66 +PsvID RADIUS
Mapping
Identity with passive AD Identity
1.2.3.4 chyps 22:33:44:5 Samsung
3.4.5.6 hslai dot1x RADIUS 10
5:66:77 Galaxy
• AuthZ = RADIUS + PassiveID 2.3.4.5 imbashir
33:44:55:6
5.6.7.8 zsariedd Apple-iPad mab RADIUS 20
6:77:88
44:55:66:7 Apple-
6.7.8.9 awoland dot1x RADIUS 10
7:88:99 anything
Calling ID: 00:11:22:33:44:55

Framed IP: 1.2.3.4
00:11:22:33:44:55
AD Logins WMI
AD Logins
PSN MnT
IdMap RADIUS Logins
SXP
11:22:33:44:55:66 Wired Switch RADIUS AAA CoA Internal CoA +

Authentication/A Identity Publish Session
uthorization Update SXP peers with SGT Topic to pxGrid
mappings from RADIUS +
For Your Calling ID: 11:22:33:44:55:66 PassiveID PXG
Reference Framed IP: 2.3.4.5
Cisco ASA
Policy > Policy Elements > Authorization > Authorization Profiles
PassiveID/EZC
Scaling Summary
Candidates for CoA based on
• Limit Passive Identity Passive/Active Session Merge
Service to 2 PSN nodes
(dedicated) for WMI
• Limit tracking to ISE sessions where
require update to authorization based on Administration > PassiveID > Mapping Filters
PassiveID
• Filter out login events not used
for PassiveID
• Limit DCs to those where AD logins used
for PassiveID SRV*
• Use AD event log forwarding to acquire
logs for other DCs
Google “windows event forwarding”

Log Forwarding to Increase Scale
DC3
DC1
Monitored DC2
Monitored DC5
PSN Member
(Psv ID) Server with
PIC Agent
DC4
DC6
https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-
and-dirty-large-scale-eventing-for-windows
ISE 2.2 Passive ID and Easy Connect Multi-Service Scaling For Your
Reference
Max Concurrent Passive ID/Easy Connect Sessions by Deployment and Platform
Max # Max RADIUS Max Merged/EZC
Max Passive
Scaling per Deployment Model Platform Dedicated Sessions per Sessions (subset of
ID Sessions
PSNs Deployment RADIUS/Psv ID)
3415 0 5,000 50,000 500
Standalone:
3495 0 7,500 100,000 1,000
All personas on same node
(2 nodes redundant) 3515 0 10,000 100,000 1,000
3595 0 20,000 300,000 2,000
3415 as PAN+MNT 5/3+2 5,000 50,000 500 / 2,500
Hybrid: PAN+MnT on same node and
3495 as PAN+MNT 5/3+2 10,000 100,000 1,000 / 5,000
Dedicated PSNs
3515 as PAN+MNT 5/3+2 7,500 100,000 1,000 / 5,000
(Minimum 4 nodes redundant)
3595 as PAN+MNT 5/3+2 20,000 300,000 2,000 / 10,000
Dedicated PAN and MnT nodes 3495 as PAN and MNT 38 + 2 250,000 100,000 25,000
(Minimum 6 nodes redundant) 3595 as PAN and MNT 48 + 2 500,000 300,000 50,000
Max RADIUS Max Merged/EZC
Scaling per PSN Platform Sessions Max Passive Sessions
per PSN ID Sessions per PSN
SNS-3415 Dedicated 5,000 50,000 10,000
Dedicated Policy nodes
SNS-3495 PSNs 20,000 100,000 25,000
(Max Sessions Gated by Total
Deployment Size) SNS-3515 (2 for HA) 7,500 100,000 15,000
SNS-3595 40,000 300,000 50,000
Shared PSNs (up to 5) OR PSNs dedicated to RADIUS
#CLMEL (up to 3) and Passive
BRKSEC-3432 © 2019ID
CiscoService (2Allfor
and/or its affiliates. HA) Cisco Public
rights reserved. 184
ISE 2.4 Passive ID & Easy Connect Multi-Service Scaling
Max Passive
Deployment Model Platform Dedicated Sessions per Sessions (subset of
ID Sessions
Stand- All personas on 3515 0 7,500 100,000 1,000
alone same node 3595 0 20,000 300,000 2,000
PAN+MnT+PXG on 3515 as PAN+MNT 5/3+2 7,500 100,000 1,000 / 5,000
Hybrid same node;
Dedicated PSN 3595 as PAN + MNT 5/3+2 20,000 500,000 2,000 / 10,000
Each Persona on 3515 as PAN and MNT 48 + 2 500,000 500,000 500,000
Dedicated
Dedicated Node 3595 as PAN and Large MnT 48 + 2 500,000 1M 500,000
Shared PSNs (up to 5) OR PSNs dedicated to RADIUS (up to 3) Number of PSNs dedicated to Passive Identity
and Passive ID Service (2 for redundancy) (Minimum 2 for HA)
• By PSN Max RADIUS per Max Passive Max Merged/EZC

Scaling per PSN Platform
PSN ID per PSN
Dedicated Policy nodes SNS-3515 7,500 100,000 10,000
Deployment Size) SNS-3595 40,000 300,000 50,000
ISE 2.6 Passive ID & Easy Connect Multi-Service Scaling
Max Passive
Deployment Model Platform Dedicated Sessions per Sessions (subset of
ID Sessions
3615 0 10,000 100,000 1,000
alone same node 3655 0 25,000 300,000 2,000
3695 0 50,000 300,000 2,000
PAN+MnT+PXG on 3615 as PAN+MNT 5/3+2 10,000 100,000 1,000 / 5,000
Hybrid same node; 3655 as PAN + MNT 5/3+2 25,000 500,000 2,000 / 10,000
Dedicated PSN
3695 as PAN+MNT 5/3+2 50,000 500,000 2,000 / 10,000
Each Persona on 3655 as PAN and MNT 48 + 2 500,000 500,000 500,000
Dedicated
Dedicated Node 3695 as PAN and MnT 48 + 2 500,000 (2M) 2M 500,000
Shared PSNs (up to 5) OR PSNs dedicated to RADIUS (up to 3) Number of PSNs dedicated to Passive Identity
and Passive ID Service (2 for redundancy) (Minimum 2 for HA)
• By PSN Max RADIUS per Max Passive Max Merged/EZC
PSN ID per PSN
Dedicated Policy nodes SNS-3615 10,000 100,000 10,000
(Max Sessions Gated by Total SNS-3655 50,000 500,000 50,000
Deployment Size) SNS-3695 100,000 2M 50,000
pxGrid v1 Multi-Service Scaling
ISE 2.2+ Max pxGrid Operations by Deployment Model and Platform
Max RADIUS Max pxGrid
Max ded. Max ded.
Scaling per Deployment Model Platform Sessions Subscribers
PSNs pxGrid
per Deployment per Deployment
Standalone: 3515/3615 0 0 7,500/10,000 2
All personas on same node 3595/3655 0 0 20,000/25,000 2
(2 nodes redundant) 3695 0 0 50,000 2
3515/3615 as
Hybrid: PAN+MnT+PXG on same
PAN+MNT+PXG 5/3 0/2 7,500/10,000 5 / 15
node and dedicated PSNs -OR-
3595/3655 as
PAN+MnT and ded. PSN & PXG
PAN+MNT+PXG 5/3 0/2 20,000/25,000 5 / 15
(Minimum 4 nodes redundant)
3595 as PAN+MNT+PXG 5/3 0/2 50,000 5 / 15
All personas on Dedicated nodes 3595 as PAN and MNT 50 2 500,000 25
(Minimum 6 nodes redundant) 3695 as PAN and MNT 50 2 500,000 (2M) 25
Max RADIUS Max Subscribers

Scaling per PXG Node Platform
per PSN per PXG
Dedicated pxGrid nodes SNS-3515/3615 7,500/10,000 15
(Max Publish Rate Gated by Total SNS-3595/3655 40,000/50,000 25
Deployment Size) SNS-3695 100,000 25
Dedicated PSNs (up to 5) when pxGrid on PAN+MNT OR Split PSNs

#CLMEL
(up to 3)©and
BRKSEC-3432
pxGrid (up to 2 for HA)
2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
pxGrid v2 Multi-Service Scaling
ISE 2.4+ Max pxGrid Operations by Deployment Model and Platform
Max Max Max RADIUS Max pxGrid
Deployment Model Platform dedicated dedicated Sessions Subscribers
PSNs pxGrid per Deployment per Deployment
3515/3615 0 0 7,500/10,000 20
Stand- All personas on 3595/3655 0 0 20,000/25,000 30
alone same node
3695 0 0 50,000 30
PAN+MnT+PXG on 35/3615 as PAN+MNT+PXG 5/3 0/2 7,500/10,000 140 / 400
Hybrid same node; 3595/3655 5/3 0/2 20,000/25,000 160 / 600
Dedicated PSN 3695 5/2 0/3 50,000 160 / 600
Each Persona on 3595/3655 as PAN and MNT 50 4 500,000 800 (200 each)
Dedicated
• By Node
Dedicated Node 3695 as PAN and MnT 50 4 500,000 (2M) 800 (200 each)
Dedicated PSNs (up to 5) when pxGrid on PAN+MNT * ISE 2.3 introduced pxGrid v2.0 based on WebSockets
OR Split 5 nodes between dedicated PSNs and pxGrid
Max RADIUS Max Subscribers
Scaling per pxGrid Node Platform
per PSN per PXG
Dedicated pxGrid nodes SNS-3515/3615 7,500/10,000 200
(Max Publish Rate Gated by SNS-3595/3655 40,000/50,000 200
Deployment Size) SNS-3695 100,000 200
ISE 2.2 Passive Identity Feature Overview For Your
Reference
Broker for IP-User/Group Mappings for Cisco Consumers

?
• Collect Passive ID via multiple sources pxGrid Pub/Sub Bus
• Share out via pxGrid Output
ISE or PIC
Input to ISE-PIC / ISE

Kerberos ISE-PIC Endpoint
WMI
SPAN Syslog REST API
Agent Probe
Same Still
Custom User? There?
AD AD AD AD Apps
AD AD
Almost#CLMEL
Anything
BRKSEC-3432 © 2019
© 2019 Cisco
Cisco and/or
rightsreserved.
reserved. Cisco
CiscoPublic
Public 189
ISE-PIC (Passive Identity Connector) Scaling
Max Passive ID Sessions and pxGrid Subscribers by Virtual Platform 35xx 2.4 & 36xx 2.6
Max # Max RADIUS Max Passive ID Max pxGrid
ISE-PIC Deployment • ISE-PIC currently
Appliances Sessions Sessions Subscribers
delivered as virtual
35/615 Virtual Appliance 1 (2 for HA) 0 100,000 20 appliance only
3595/3655 1 (2 for HA) 0 300k/500k 20
3695 Virtual Appliance 1 (2 for HA) 0 2M 20 • Sizing based on
SNS-3515/3595
35xx/36xx specifications
ISE Passive ID / ISE-PIC
Virtual Appliance
Max AD Forest/Domain Join Points (user/group queries) 50
Max AD Domain Controllers supported via WMI or ISE AD Agent 100
Max AD Agents (assuming 1:1 agent to DC) 100
Recommended # DCs per Agent (agent on DC) 1 Passive ID scale
Recommended # DCs per Agent (agent on member server) 10 applies to BOTH
Recommended # PSNs enabled for WMI (Passive ID service) 2 ISE 2.6 and ISE-
Max REST API Providers 50 PIC
Max REST API EPS 1,000
Max Syslog Providers 70
Max Syslog EPS 400
Max Endpoints Probed per Interval 100,000
Session Agenda
Guest and WebAuth You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Scaling Guest and
Web Authentication
Services
192
Scaling Global Sponsor / MyDevices DNS SERVER: DOMAIN =
COMPANY.COM
Global Load Balancers / “Smart DNS” Example SPONSOR 10.1.0.100

10.2.0.100
10.3.0.100
Global LB MYDEVICES 10.1.0.100
10.2.0.100
10.3.0.100
ISE-PSN-1 10.1.1.1
ISE-PSN-2 10.1.1.2
ISE-PSN-3 10.1.1.3
ISE-PSN-4 10.2.1.4
ISE-PSN-5 10.2.1.5
ISE-PSN-6 10.2.1.6
ISE-PSN-7 10.3.1.7
Local LB
Local LB ISE-PSN-8 10.3.1.8
10.1.0.100 ISE-PSN-9 10.3.1.9
For Your 10.2.0.100
Reference
Use Global Load Balancing / intelligent DNS to direct traffic to closest VIP.
Local Web Load-balancing distributes request to single PSN.
Local LB
Load Balancing simplifies and scales ISE Web Portal Services
#CLMEL BRKSEC-3432
10.3.0.100
Activity Time !
Scaling Global Sponsor / MyDevices DNS SERVER: DOMAIN =
COMPANY.COM
Anycast Example SPONSOR 10.1.0.100

MYDEVICES 10.1.0.101
DNS Servers ISE-PSN-1 10.1.1.1
ISE-PSN-2 10.1.1.2
ISE-PSN-3 10.1.1.3
ISE-PSN-4 10.2.1.4
ISE-PSN-5 10.2.1.5
ISE-PSN-6 10.2.1.6
ISE-PSN-7 10.3.1.7
ISE-PSN-8 10.3.1.8
ISE-PSN-9 10.3.1.9
10.1.0.100
10.1.0.100
Use Global Load Balancer or Anycast (example shown) to direct

traffic to closest VIP. Web Load-balancing distributes request to
single PSN. 10.1.0.100
Load Balancing also helps to scale Web Portal Services
Scaling Guest Authentications Using 802.1X
“Activated Guest” allows guest accounts to be used without ISE web auth portal
• Guests auth with 802.1X using EAP methods like PEAP-MSCHAPv2 / EAP-GTC
• 802.1X auth performance generally much higher than web auth
Warning:
Watch for
expired guest
accounts, else
high # auth
failures !
Note: AUP and Password Change cannot be enforced since guest bypasses portal flow.
Scaling Web Auth
“Remember Me” Guest Flows
• User logs in to Hotspot/CWA portal and MAC address auto-registered into
GuestEndpoint group
• AuthZ Policy for GuestEndpoints ID Group grants access until device purged
ISE 2.4 see Work Centers > Guest Access > Settings > Logging
reporting
communit
y post
Automated Device Registration and Purge For Your
Reference
• Web Authenticated users can be auto-registered

and endpoints auto-purged.
• Allows re-auth to be reduced to one day,
multiple days, weeks, etc.
• Improves Web Scaling and User Experience
Endpoint Purging For Your
Reference
Matching Conditions
Purge by:
▪ # Days After
Creation
▪ # Days Inactive
▪ Specified Date
#CLMEL BRKSEC-3432 © 2019

© 2019 Cisco
Cisco and/or
rightsreserved.
reserved. Cisco
CiscoPublic
Public 199
Endpoint Purging Examples For Your
Reference
Matching Conditions
Purge by:
▪ # Days After
Creation
▪ # Days Inactive
▪ Specified Date
On Demand Purge #CLMEL BRKSEC-3432 © 2019

© 2019 Cisco
Cisco and/or
rightsreserved.
reserved. Cisco
CiscoPublic
Public 200
Session Agenda
Compliance Services: Posture and MDM You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Scaling Posture & MDM
202
ISE 2.6 Lightweight Session Directory
User device session information shared across the deployment
• Avoids using MnT or PAN nodes as a
single point of truth or failure.
• LSD stores a light session information
and replicates it across the
deployment using RabbitMQ
• Allows future Infrastructure
development for WAN survivability –
PAN/MnT unreachable
ISE Architecture before LSD (2.6)
Session exists in local PSN and MnT node
• Services including posture, profiling
require frequent sessions information
from MnT > PSN
• MnT Overload & performance
degradation
• Delays (System Responsiveness)
• Limited Scale
ISE Architecture on LSD (2.6)
Session exists in local PSN and MnT node
• Each new session data propagated to all PSNs using Rabbit MQ
• Sessions data cached locally via Redis DB
• Full-Mesh Routing Message Bus
• No bottlenecks, one hop delivery, truly distributed, persona agnostic
Posture Lease
Once Compliant, user may leave/reconnect multiple times before re-posture
MDM Scalability and Survivability
What Happens When the MDM Server is Unreachable?
• Scalability ≈ 30 Calls per second per PSN.

• Cloud-Based deployment typically built for scale and redundancy
• For cloud-based solutions, Internet bandwidth and latency must be considered.
• Premise-Based deployment may leverage load balancing
• ISE 1.4+ supports multiple MDM servers – could be same or different vendors.
• Authorization permissions can be set based on MDM connectivity status:

• MDM:MDMServerReachable Equals UnReachable
MDM:MDMServerReachable Equals Reachable
• All attributes retrieved & reachability determined by single API call on each new session.
ISE 2.4 adds support for managing MDM
Scaling MDM Attributes via ERS API
Prepopulate MDM Enrollment and/or Compliance via ERS API
<groupId>groupId</groupId>
<identityStore>identityStore</identityStore>
<identityStoreId>identityStoreId</identityStoreId>
<customAttributes>
<mac>00:01:02:03:04:05</mac>
<customAttributes>
<mdmComplianceStatus>false</mdmComplianceStatus> <entry>
<mdmEncrypted>false</mdmEncrypted> <key>MDM_Registered</key>
<mdmEnrolled>true</mdmEnrolled> <value>true</value>
<mdmIMEI>IMEI</mdmIMEI> </entry>
<mdmJailBroken>false</mdmJailBroken> <entry>
<mdmManufacturer>Apple Inc.</mdmManufacturer> <key>MDM_Compliance</key>
<mdmModel>iPad</mdmModel> <value>false</value>
<mdmOS>iOS</mdmOS> </entry>
<mdmPhoneNumber>Phone Number</mdmPhoneNumber> <entry>
<mdmPinlock>true</mdmPinlock> <key>Attribute_XYZ</key>
<mdmReachable>true</mdmReachable> <value>Value_XYZ</value>
<mdmSerial>AB23D0E45BC01</mdmSerial> </entry>
<mdmServerName>AirWatch</mdmServerName>
</customAttributes>
<portalUser>portalUser</portalUser>
</customAttributes>
<profileId>profileId</profileId>
<staticGroupAssignment>true</staticGroupAssignment>
<staticProfileAssignment>false</staticProfileAssignment>
TACACS+ Scaling
Session Agenda
Compliance Services: Posture and MDM You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Design #1 – RADIUS & TACACS+ Share PSNs
For Your
Reference
ISE Deployment
PSN-1
PAN
MNT
PSN-2
RAD
RADIUS & T+
T+
Design #2 – RADIUS & T+ Use Dedicated PSNs
For Your
Reference
ISE Deployment
PSN-1
PSN-3
PSN-5
PAN
PSN-2 MNT
PSN-4
PSN-6
RAD RADIUS Only

T+ TACACS+ Only
#2 Option – Separate Services in Steady State…
For Your
Reference
ISE Deployment
PSN-1
PAN
MNT
PSN-2
RAD
RADIUS & T+
T+
Design #3 – Separate Deployments for RAD & T+
For Your Dev Admin Only
Reference
PSN-1
PSN-3 MNT
PSN-5
PAN
RADIUS Only
PSN-2
PSN-4 MNT
PSN-6
RAD RADIUS Only PAN
T+ TACACS+ Only
…Fallback to other Service Node on Failure For Your
Reference
ISE Deployment
PSN-1
PAN
MNT
PSN-2
RAD
RADIUS & T+
T+
Options for Deploying Device Admin
https://community.cisco.com/t5/security-documents/ise-tacacs-deployment-amp-sizing-guidance/ta-p/3612253
Separate Deployment Separate PSNs Mixed PSNs

Priorities according to Policy and
Business Goals
RADIUS TACACS RADIUS TACACS RADIUS/ TACACS
Separation of Yes: Specialization for TACACS+

Configuration/
Duty No: Shared resources/Reduced $$
Independent Yes: Scale as needed/No impact on Device

Scaling of Admin from RADIUS services
Services
No: Avoid underutilized PSNs
Suitable for Yes: Services dedicated to TACACS+

high-volume
Device Admin No: Focus on “human” device admins
Separation of Yes: Optimize log retention VM

Logging Store
No: Centralized monitoring
RADIUS Only PSNs For Your
Reference
Administration > System > Deployment > [ISE node]
Policy Service is Required
Enable What’s Needed for

Network Access
TACACS+ Disabled
TACACS+ Only PSNs For Your
Reference
Administration > System > Deployment > [ISE node]
Policy Service is Required
Disable Network Access

Services
Device Admin = T+
TACACS+ Design For Your
Reference
3 Basic ISE Deployment Models for Device Administration
Dedicated Deployments Dedicated PSNs Integrated
PAN/MNT: RADIUS & TACACS+ PAN/MNT: RADIUS & TACACS+

Architecture
+ PSN:TACACS+ + PSN:RADIUS & TACACS+
PAN/MNT: T+ PAN/MNT: RADIUS
+ PSN:RADIUS + PSN:RADIUS & TACACS+
+ PSN:TACACS+ + PSN:RADIUS
+ PSN:TACACS+ + PSN:RADIUS & TACACS+
+ PSN:TACACS+ + PSN:RADIUS
+ PSN:RADIUS … + PSN:RADIUS & TACACS+
• Per-PSN utilization may be low for a • Potential need for cross-department admin access
• Separate ISE deployments to maintain
dedicated function depending on the organization
Cons • Cost of additional PAN and MNT nodes
• May need additional PSNs for • Load from Network Access may impact Device
for the second deployment
distributed coverage Administration services and vice versa
• Centralized policy & monitoring for all • Centralized policy & monitoring for all AAA
• Complete separation of policy &
AAA • Same configuration for all PSNs
Pros operations for Device Administration
• Scale Device Admin independently • Scale all AAA needs incrementally by adding a PSN
and Network Access
from Network Access as needed when or where needed
Whether you dedicate a separate instance for TACACS+ is more of a security and operational policy decision. If separated in ACS today,
then continue doing so if that model serves you well. If you wish to combine both TACACS+ Device Administration and RADIUS into
same deployment, then dedicating nodes to TACACS+ service may be the best option for a large organization to prevent user services
from impacting device admin services and vice versa.
ISE 2.3 TACACS+ Scaling (RADIUS and T+) For Your
Reference
Max Concurrent TACACS+ TPS by Deployment Model and Platform
Max # Dedicated Max RADIUS Sessions per Max TACACS+
PSNs Deployment TPS
3415 0 5,000 50
All personas on same
Stand- 3495 0 10,000 50
node
alone 3515 0 7,500 50
(2 nodes redundant)
3595 0 20,000 50
PAN + MnT on same node; 3415 as PAN+MNT * 5 / 3+2 5,000 100 / 500
Dedicated PSN 3495 as PAN+MNT * 5 / 3+2 10,000 100 / 1,000
Hybrid
(Minimum 4 nodes 3515 as PAN+MNT * 5 / 3+2 7,500 100 / 1,000
redundant) 3595 as PAN+MNT * 5 / 3+2 20,000 100 / 1,500
Each persona dedicated 3495 as PAN and MNT * 40 / 38+2 250,000 1,000 / 2,000
Dedicated
(Min 6 nodes redundant) 3595 as PAN and MNT * 50 / 48+2 500,000 1,000 / 3,000
Max RADIUS Sessions per Max TACACS+
PSN TPS per PSN
SNS-3415 5,000 500
SNS-3495 20,000 1,000
(Max Sessions Gated by Deployment
Maximums) SNS-3515 7,500 1,000
SNS-3595 40,000 1,500
* Device Admin service enabled on same PSNs also used for RADIUS OR Split RADIUS and T+ PSNs
ISE 2.4 TACACS+ Multi-Service Scaling (RADIUS and T+)
Max Concurrent RADIUS + TACACS+ TPS by Deployment Model and Platform
• By Deployment
Max # Dedicated Max RADIUS Sessions Max TACACS+ TPS per
PSNs per Deployment Deployment
Standa- All personas on 3515 0 7,500 100
alone same node 3595 0 20,000 100
PAN+MnT+PXG 3515 as PAN+MNT * 5 / 3+2 7,500 250 / 2,000
Hybrid on same node;
Each Persona on 3595 as PAN and MNT * 50 / 47+3 500,000 2,500 / 4,000
Dedicated
Dedicated Node 3595 as PAN and Large MNT * 50 / 47+3 500,000 2,500 / 6,000
• By PSN Each dedicated T+ PSN node reduces dedicated RADIUS PSN count by 1
Max RADIUS Sessions Max TACACS+ TPS per
per PSN PSN
Dedicated Policy nodes SNS-3515 7,500 2,000
Deployment Size) SNS-3595 40,000 3,000
ISE 2.6 TACACS+ Multi-Service Scaling (RADIUS and T+)
Max Concurrent RADIUS + TACACS+ TPS by Deployment Model and Platform
3615 0 10,000 100
Standa- All personas on
3655 0 25.000 100
alone same node
3695 0 50,000 100
PAN+MnT+PXG 3655 as PAN+MNT * 5 / 3+2 25,000 250 / 3,000
Hybrid on same node;
Each Persona on 3655 as PAN and MNT * 50 / 47+3 500,000 2,500 / 6,000
Dedicated
Dedicated Node 3595 as PAN and MNT * 50 / 47+3 500,000 (2M) 2,500 / 6,000
Each dedicated T+ PSN node reduces dedicated RADIUS PSN count by 1
per PSN PSN
SNS-3615 10,000 2,000
(Max Sessions Gated by Total SNS-3655 50,000 3,000
Deployment Size)
SNS-3695 100,000 3,000
ISE 2.3 TACACS+ Scaling (TACACS+ Only)
3415 0 N/A 500
All personas on same
Stand- 3495 0 N/A 1,000
node
alone 3515 0 N/A 1,000
(2 nodes redundant)
3595 0 N/A 1,500
PAN + MnT on same 3415 as PAN+MNT * 5 (2 rec.) N/A 2,500 (1,000)
node; Dedicated PSN 3495 as PAN+MNT * 5 (2 rec.) N/A 5,000 (2,000)
Hybrid
(Minimum 4 nodes 3515 as PAN+MNT * 5 (2 rec.) N/A 5,000 (2,000)
redundant) 3595 as PAN+MNT * 5 (2 rec.) N/A ** 7,500 (3,000)
Each persona dedicated 3495 as PAN and MNT * 40 (2 rec.) N/A ** 20,000 (2,000)
Dedicated
(Min 6 nodes redundant) 3595 as PAN and MNT * 50 (2 rec.) N/A ** 25,000 (3,000)
per PSN PSN
SNS-3415 5,000 500
SNS-3495
** Currently 20,000 1,000
(Max Sessions Gated by Total exceeds max
Deployment Size) SNS-3515 MNT log capacity 7,500 1,000
SNS-3595 40,000 1,500
* Device Admin service can be enabled on each PSN; minimally 2 for redundancy, but 2 often sufficient.
ISE 2.4 TACACS+ Multi-Service Scaling (TACACS+ Only)
• By Deployment
Max # Dedicated Max RADIUS Sessions Max TACACS+ TPS
PSNs per Deployment per Deployment
Stand- All personas on 3515 0 N/A 1,000
alone same node 3595 0 N/A 1,500
PAN+MnT+PXG on 3515 as PAN+MNT *5/2 N/A 2,000 / 2,000
Hybrid same node; **
Dedicated PSN 3595 as PAN+MNT *5/2 N/A 3,000 / 3,000
**
Each Persona on 3595 as PAN and MNT * 50 / 4 N/A 5,000 / 5,000
Dedicated **
Dedicated Node 3595 as PAN and Large MnT * 50 / 5 N/A 10,000 / 10,000
**
* Device Admin service can be enabled on each PSN; minimally 2 for redundancy.
• By PSN ** Max log capacity for MNT

Max RADIUS Sessions per Max TACACS+ TPS per
PSN PSN
Deployment Size) SNS-3595 40,000 3,000
ISE 2.6 TACACS+ Multi-Service Scaling (TACACS+ Only)
• By Deployment
Max # Dedicated Max RADIUS Sessions Max TACACS+ TPS
PSNs per Deployment per Deployment
Stand- All personas on 3615 0 N/A 1,000
alone same node 3655/3695 0 N/A 1,500
PAN+MnT+PXG on 3615 as PAN+MNT *5/2 N/A 2,000 / 2,000
Hybrid same node; **
Dedicated PSN 3655/3695 as PAN+MNT *5/2 N/A 3,000 / 3,000
**
Each Persona on 3655 as PAN and MNT * 50 / 4 N/A 5,000 / 5,000
Dedicated **
Dedicated Node 3695 as PAN and MnT * 50 / 5 N/A 10,000 / 10,000
**
* Device Admin service can be enabled on each PSN; minimally 2 for redundancy.
• By PSN ** Max log capacity for MNT

Max RADIUS Sessions per Max TACACS+ TPS per
PSN PSN
Deployment Size) SNS-3655/3695 50,000/100,000 3,000
For Your
Reference
Other TACACS+ Scale Facts
• Max T+ Command Sets 200
(20 lines each command set)
• Max T+ Profiles 50
TACACS+ MnT Scaling
Human Versus Automated Device Administration
• Consider the “average” size syslog from TACACS+ based on following guidance:
Each TACACS+ Session Each Command Authorization (per session)
Authentication: 2kB Command authorization: 2kB
Session authorization: 2kB Command accounting : 1kB
Session accounting: 1kB
• “Human” Device Admin Example:

• For a normal “human” session we may expect to see 10 commands, so a session would be approximately: [5kB +
(10 * 3kB)) = 35kB. Suppose a maximum of 50 such sessions per admin per day from 50 admins (and few
organizations have > 50 admins)
• 50 human admins would generate < 1 TPS average, ~60k logs/day, or ~90MB/day.
• Automated/Script Device Admin Example:
• Consider a script that runs 4 times a day against 30,000 devices, (for example, to backup config on all devices).
Generally the interaction will be short, say 5 commands:
• Storage = 30,000 * 4 * [5kB + (5 * 3kB)] = ~2.4 GB/day
• Total TPS = 30k * 4 * [3 + (5 * 2)] = 1.56M logs = 18 TPS average; 1300 TPS peak.
TACACS+ Multi-Service Scaling For Your
Reference
Required TACACS+ TPS by # Admins and # NADs
Session Authentication and Command Accounting Only Command Authorization + Acctg
Accounting Only (10 Commands / Session) (10 Commands / Session)
Avg Peak Storage/ Avg Peak Storage/ Avg Peak Storage/
Logs/Day Logs/Day Logs/Day
TPS TPS day TPS TPS day TPS TPS day
# Admins Based on 50 Admin Sessions per Day
1 <1 <1 150 < 1MB <1 <1 650 1MB <1 <1 1.2k 2MB
Admin
Human Admin
5 <1 <1 750 1MB <1 <1 3.3k 4MB <1 <1 5.8k 9MB
10 <1 <1 1.5k 3MB <1 <1 6.5k 8MB <1 1 11.5k 17MB
25 <1 <1 3.8k 7MB <1 1 16.3k 19MB <1 2 28.8k 43MB
50 <1 1 7.5k 13MB <1 2 32.5k 37MB 1 4 57.5k 86MB
100 <1 1 15k 25MB 1 4 65k 73MB 2 8 115k 171MB
# NADs Based on 4 Scripted Sessions per Day
500 <1 5 6k 10MB <1 22 26k 30MB 1 38 46k 70MB
1,000 <1 10 12k 20MB 1 43 52k 60MB 1 77 92k 140MB
Script Admin
5,000 <1 50 60k 100MB 3 217 260k 300MB 5 383 460k 700MB
10,000 1 100 120k 200MB 6 433 520k 600MB 11 767 920k 1.4GB
20,000 3 200 240k 400MB 12 867 1.04M 1.2GB 21 1.5k 1.84M 2.7GB
30,000 5 300 480k 600MB 18 1.3k 1.56M 1.7GB 32 2.3k 2.76M 4.0GB
50,000 7 500 600k 1GB 30 2.2k 2.6M 2.9GB 53 3.8k 4.6M 6.7GB
Peak values based on 5-minute burst to complete each batch request.
TACACS+ Multi-Service Scaling For Your
Reference
Required TACACS+ TPS by # Admins and # NADs
Session Authentication and Command Accounting Only Command Authorization + Acctg
Accounting Only (10 Commands / Session) (10 Commands / Session)
Avg Peak Storage/ Avg Peak Storage/ Avg Peak Storage/
Logs/Day Logs/Day Logs/Day
TPS TPS day TPS TPS day TPS TPS day
# Admins Based on 50 Admin Sessions per Day
1 <1 <1 150 < 1MB <1 <1 650 1MB <1 <1 1.2k 2MB
Human Admin
5 <1 <1 750 1MB <1 <1 3.3k 4MB <1 <1 5.8k 9MB
10 <1 <1 1.5k 3MB <1 <1 6.5k 8MB <1 1 11.5k 17MB
25 <1 <1 3.8k 7MB <1 1 16.3k 19MB <1 2 28.8k 43MB
50 <1 1 7.5k 13MB <1 2 32.5k 37MB 1 4 57.5k 86MB
100 <1 1 15k 25MB 1 4 65k 73MB 2 8 115k 171MB
# NADs Based on 4 Scripted Sessions per Day
500 <1 5 6k 10MB <1 22 26k 30MB 1 38 46k 70MB
1,000 <1 10 12k 20MB 1 43 52k 60MB 1 77 92k 140MB
Admin
Script Admin
5,000 <1 50 60k 100MB 3 217 260k 300MB 5 383 460k 700MB
10,000 1 100 120k 200MB 6 433 520k 600MB 11 767 920k 1.4GB
20,000 3 200 240k 400MB 12 867 1.04M 1.2GB 21 1.5k 1.84M 2.7GB
30,000 5 300 480k 600MB 18 1.3k 1.56M 1.7GB 32 2.3k 2.76M 4.0GB
50,000 7 500 600k 1GB 30 2.2k 2.6M 2.9GB 53 3.8k 4.6M 6.7GB
Peak values based on 5-minute burst to complete each batch request.
Scaling PSNs vs Logs per day For Your
Reference
Number of PSNs Logs/day - Command Authz + Accting ( in Millions)

10
9 9.2
8
Number of PSNs
7
6.44
6
5
4.6
4
3 2.76
2
1 0.92
0
0 10 20 30 40 50 60 70 80 90 100
Logs > 5M/day Number of Network devices (in Thousands)
Note: Based on 4 TACACS+ sessions/day across Network Devices and 10 Commands/Session

TACACS+ Logs/Day vs Peak TPS For Your
Reference
Logs/day - Session Auth/Authz/Accting Logs/day - Command Acctg Logs/day - Command Authz + Accting
Peak TPS - Session Auth/Authz/Acctg Peak TPS - Command Acctg Peak TPS - Command Authz/Acctg
10 9000
9 7670 8000
8 7000
7
5369 6000
6
(millions) 5000
5 3835 4330
4000
4
3031 3000
3 2301
2165
2 2000
1299 1000
767 700
1 500 1000
433 300
100 0.6 4.6 0.84 3.64 6.44 1.2 5.2 9.2
2.6
0 0.12 0.52 0.92 0.36 1.56 0
10000 30000 50000 70000 100000
# of Network Devices (Single deployment) Log capacity > 5M logs/day
Note: Based on 4 TACACS+ sessions/day across Network devices and 10 commands/session

Enhanced Disk Allocation and Logging in ISE 2.2+ for RADIUS and TACACS+
MnT Node Log Storage Requirements for TACACS+

Days Retention Based on # Managed Network Devices and Disk Size
Total Disk Space Allocated to MnT Node For Your
Reference
200 GB 400 GB 600 GB 1024 GB 2048 GB 2400GB
100 12,583 25,166 37,749 64,425 128,850 154,016
500 2,517 5,034 7,550 12,885 25,770 30,804
1,000 1,259 2,517 3,775 6,443 12,885 15,402 Assumptions:
Total NADs
5,000 252 504 755 1,289 2,577 3081 • Script runs

10,000 126 252 378 645 1,289 1541 against all NADs
25,000 51 101 151 258 516 617 • 4 sessions/day
• 5 commands/
50,000 26 51 76 129 258 309
session
75,000 17 34 51 86 172 206
100,000 13 26 38 65 129 155
Based on 60% allocation of MnT disk to TACACS+ logging

Single Connect Mode
Scaling TACACS+ for High-Volume NADs
• Multiplexes T+ requests over single TCP connection
• All T+ requests between NAD and ISE occur over single connection rather than separate connections for
each request.
• Recommended for TACACS+ “Top Talkers”

• Note: TCP sockets locked to NADs, so limit use to NADs with highest activity.
Administration > Network Resources > Network Devices > (NAD)

Internal User Cache for T+ Authorization
Scaling TACACS+ for High-Volume Admin Users
Global Setting for Single Connect Mode

(enabled by default)
First authorization caches

1) User Name
2) User Specific Attributes (Ex: Group ID,
custom attributes)
Successive requests served from cache

Default = 0 <<Cache Disabled>>
ACS to ISE Migration For Your
Reference
https://communities.cisco.com/docs/DOC-63880
Scaling Profiling and
Database Replication
Session Agenda
Profiling & Database Replication You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
ISE profiles based on ‘profiling policies’
The minimum ‘certainty metric’ in the profiling policy
evaluates the matching profile for an endpoint.
Certainty
Factor
DHCP Class-ID: MSFT
+10
HTTP User Agent: Windows
+10
Endpoint NMAP OS: Microsoft Windows

+10 Cisco ISE
DHCP:dhcp-class-identifier CONTAINS MSFT
DHCP:dhcp-class-identifier CONTAINS MS-UC-Client
IP:User-Agent CONTAINS Windows
NMAP:operating-system CONTAINS Microsoft Windows

Profiles Precedence
Cisco Provided Custom
Profile Profile
Existing Cisco Profile New Customer Profile

CF = 30 CF = 40
RESULT
Profiles Precedence
Cisco Provided Custom
Profile Profile
New Cisco Profile Existing Customer Profile

CF = 30 CF = 40
RESULT
Endpoint Attribute Filter and Whitelist Attributes
Reduces Data Collection and Replication to Subset of Profile-Specific Attributes
• Endpoint Attribute Filter – aka “Whitelist filter”

• Enabled by defauly, only these attributes are collected or replicated.
Work Center > Profiler > settings
• Whitelist Filter limits profile attribute collection to those required to support default
(Cisco-provided) profiles and critical RADIUS operations.
• Filter must be disabled to collect and/or replicate other attributes.
• Attributes used in custom conditions are automatically added to whitelist.
Significant Attributes For Your
Reference
When Does Database Replication Occur?
• Configuration Database (Replication on Significant Attribute change)

• Managed by Primary PAN and replicated to all Secondary Nodes
• Stores ISE policy config, endpoint records, internal users, guest database, user certificates, etc.
• Profiling is primary contributor to database replication
• Local Persistence/Cache Database (Replication on Whitelist Attribute change)

• Locally stores endpoint profile updates.
MAC ADDRESS
• Last PSN to learn new whitelisted attributes becomes ENDPOINT POLICY
endpoint owner (tracked by “EndPoint Profiler Server” STATIC ASSIGNMENT
• If another PSN receives newer attributes, it requests attribute sync STATIC GROUP ASSIGNMENT
ENDPOINT IP
from prior owner and takes ownership, then notifies other PSNs.
POLICY VERSION
• Only update PAN for Significant Attribute changes MATCHED VALUE (CF)
• PAN replicates all attributes on significant attribute change. NMAP SUBNET SCAN ID
PORTAL USER
DEVICE REGISTRATION STATUS
Significant Attributes vs. Whitelist Attributes For Your
Reference
Attributes that impact profile

Significant Attributes 161-udp FirstCollection MDMPinLockSet
• Change triggers global replication AAA-Server FQDN MDMProvider
MDMSerialNumber
AC_User_Agent Framed-IP-Address
MACADDRESS AUPAccepted host-name MDMServerReachable
ENDPOINTIP BYODRegistration hrDeviceDescr MDMUpdateTime
MATCHEDVALUE CacheUpdateTime IdentityGroup NADAddress
Calling-Station-ID IdentityGroupID NAS-IP-Address
ENDPOINTPOLICY IdentityStoreGUID NAS-Port-Id
cdpCacheAddress
ENDPOINTPOLICYVERSION cdpCacheCapabilities IdentityStoreName NAS-Port-Type
STATICASSIGNMENT cdpCacheDeviceId ifIndex NmapScanCount
STATICGROUPASSIGNMENT cdpCachePlatform ip NmapSubnetScanID
cdpCacheVersion L4_DST_PORT operating-system
NMAPSUBNETSCANID
Certificate Expiration Date LastNmapScanTime OS Version
PORTALUSER Certificate Issue Date lldpCacheCapabilities OUI
DEVICEREGISTRATIONSTATUS Certificate Issuer Name lldpCapabilitiesMapSupported PhoneID
Certificate Serial Number lldpSystemDescription PhoneIDType
ciaddr MACAddress PolicyVersion
Whitelist Attributes CreateTime
Description
MatchedPolicy
MatchedPolicyID
PortalUser
PostureApplicablePreviousDevi
• Change triggers PSN-PSN replication and DestinationIPAddress MDMCompliant ceRegistrationStatus
Device Identifier MDMCompliantFailureReason Product
global ownership change Device Name MDMDiskEncrypted RegistrationTimeStamp
DeviceRegistrationStatus MDMEnrolled StaticAssignment
Other Attributes dhcp-class-identifier MDMImei
MDMJailBroken
StaticGroupAssignment
sysDescr
dhcp-requested-address
• Dropped if whitelist filter enabled; EndPointPolicy MDMManufacturer TimeToProfile
MDMModel Total Certainty Factor
Otherwise, only locally saved by PSN EndPointPolicyID
MDMOSVersion UpdateTime
EndPointProfilerServer
BRKSEC-3432 EndPointSource
#CLMEL MDMPhoneNumber User-Agent
Whitelist Attributes vs Significant Attributes
Sampling of All Endpoint Attributes
PolicyVersion UseCase ifDescr L4_DST_PORT mdns_VSM_txt_identifier
host-name
OUI UserType ifIndex L4_SRC_PORT sipDeviceName
domain-name
EndPointMACAddress
MatchedPolicy
GroupsOrAttributesProcessFailure
ExternalGroups Whitelist Attributes
ifOperStatus
cdpCacheAddress
dhcp-class-identifier
dhcp-client-identifier
LAST_SWITCHED
OUTPUT_SNMP
sipDeviceVendor
sipDeviceVersion
EndPointMatchedProfile Called-Station-ID cdpCacheCapabilities device-platform
dhcp-message-type MDMPinLockSet PROTOCOL
EndPointPolicy Calling-Station-ID 161-udp cdpCacheDeviceId FirstCollection SRC_MASK device-platform-version
dhcp-parameter-request-list
Total Certainty Factor DestinationIPAddress AAA-ServercdpCachePlatform FQDN dhcp-requested-address
MDMProvider SRC_TOS device-type
EndPointProfilerServer DestinationPort cdpCacheVersion
AC_User_Agent Framed-IP-Address MDMSerialNumber TCP_FLAGS AD-Host-Exists
dhcp-user-class-id
EndPointSource Device IP Address lldpSystemDescription MDMServerReachable SRC_VLAN AD-Join-Point
AUPAccepted host-name dhcp-vendor-class
StaticAssignment MACAddress lldpSystemName AD-Operating-System
BYODRegistration hrDeviceDescr flags MDMUpdateTime DST_VLAN AD-OS-Version
StaticGroupAssignment MessageCode lldpCapabilitiesMapSupported giaddr IN_SRC_MAC
NADAddress CacheUpdateTime
lldpChassisId
IdentityGroup NADAddress AD-Service-Pack
UpdateTime OUT_DST_MAC
Description NAS-IP-Address Calling-Station-ID
cLApIfMacAddress IdentityGroupID hlen NAS-IP-Address MAX_TTL iotAssetDeviceType
hops
IdentityGroup NAS-Port cdpCacheAddress
cLApName IdentityStoreGUID htype NAS-Port-Id MIN_TTL iotAssetProductCode
ElapsedDays NAS-Port-Id cLApNameServerAddressIdentityStoreName ip
cdpCacheCapabilities NAS-Port-Type dst_as iotAssetProductName
InactiveDays NAS-Port-Type cLApSshEnable NmapScanCount src_as iotAssetRetrievedFrom
cdpCacheDeviceId ifIndex op
NetworkDeviceGroups NetworkDeviceName cLApTelnetEnable iotAssetSerialNumber
cdpCachePlatform ip secs NmapSubnetScanIDcount iotAssetTrustLevel
Location RequestLatency cLApTertiaryControllerAddress
operating-system flow_sequence
Device Type
IdentityAccessRestricted
Service-Type
Timestamp
cdpCacheVersion
Certificate cLApUpTime
Expiration Date
L4_DST_PORT
cLApTertiaryControllerAddressType
LastNmapScanTime
yiaddr
sysName
sysDescr
OS Version
source_id
sys_uptime
Significant Attributes iotAssetVendorID
80-tcp
IdentityStoreName User-Name Certificate cLApWipsEnable
Issue Date lldpCacheCapabilities
sysContact
OUI unix_secs 110-tcp
ADDomain Egress-VLANID
Egress-VLAN-Name
cldcAssociationMode
Certificate Issuer Name lldpCapabilitiesMapSupported
sysLocation PhoneID version MACADDRESS 135-tcp
139-tcp
AuthState cldcClientAccessVLAN
Certificate Serial Number lldpSystemDescription
hrDeviceDescr PhoneIDType MDMServerName
ISEPolicySetName Airespace-Wlan-Id
ciaddr
cldcClientIPAddress MACAddress LastNmapScanTime PolicyVersion MDMUdid MATCHEDVALUE 143-tcp
IdentityPolicyMatchedRule Device Port cldcClientStatus MDMImei 443-tcp
NmapScanCount
AllowedProtocolMatchedRule EapTunnel CreateTime BYODRegistration
MatchedPolicy PortalUser
operating-system PostureApplicablePreviousMDMMeid ENDPOINTPOLICY 445-tcp
SelectedAccessService Framed-IP-Address DescriptionDeviceRegistrationStatusMatchedPolicyID CLASS_ID MDMManufacturer 515-tcp
SelectedAuthenticationIdentityStores NAS-Identifier DestinationIPAddress
PortalUser MDMCompliant DIRECTION DeviceRegistrationStatus
MDMModel
ENDPOINTPOLICYVERSION 3306-tcp
RadiusPacketType MDMCompliantFailureReason ProductRegistrationTimeStamp 3389-tcp
AuthenticationIdentityStore
AuthenticationMethod Vlan
AUPAccepted
Device Identifier DST_MASK
LastAUPAcceptanceHoursMDMDiskEncryptedFIRST_SWITCHED StaticAssignment MDMPhoneNumber
MDMOSVersion STATICASSIGNMENT 5900-tcp
Device Name 8080-tcp
AuthorizationPolicyMatchedRule
SelectedAuthorizationProfiles
VlanName
cafSessionAuthUserName
PostureAssessmentStatus
DeviceRegistrationStatus
FQDN
MDMEnrolled FLOW_SAMPLER_ID StaticGroupAssignment MDMSerialNumber
MDMCompliant
STATICGROUPASSIGNMENT 9100-tcp
dhcp-class-identifier MDMImei FragmentOffset sysDescr
CPMSessionID cafSessionAuthVlan
cafSessionAuthorizedBy
OpenSSLErrorMessage
dhcp-requested-address MDMJailBroken INPUT_SNMP TimeToProfile
MDMJailBroken NMAPSUBNETSCANID 53-udp
67-udp
AAA-Server OpenSSLErrorStack IN_BYTES MDMPinLockSet
OriginalUserName cafSessionDomain EndPointPolicy
User-Agent MDMManufacturerIN_PKTS Total Certainty Factor
MDMDiskEncrypted PORTALUSER 68-udp
DetailedInfo cafSessionStatus attribute-52
EndPointPolicyID MDMModel UpdateTime h323DeviceName 123-udp
OUT_BYTES
EapAuthentication dot1dBasePort attribute-53
EndPointProfilerServer MDMOSVersion IPV4_DST_ADDR User-Agent h323DeviceVendor DEVICEREGISTRATIONSTATUS 135-udp
NasRetransmissionTimeout dot1xAuthAuthControlledPortControl chaddr h323DeviceVersion 137-udp
EndPointSource MDMPhoneNumberIPV4_NEXT_HOP 138-udp
TotalFailedAttempts dot1xAuthAuthControlledPortStatus ciaddr IPV4_SRC_ADDR mdns_VSM_class_identifier
TotalFailedTime dot1xAuthSessionUserName client-fqdn mdns_VSM_srv_identifier 139-udp
IPV4_IDENT
Replication using JGroups For Your
Reference
Node Group/Cluster Messaging

2 6 7
1 5
3 PAN 8 PSN DHCP
RADIUS PSN
PSN1 4 9 PSN2
Global Replication
1. First profile attributes (RADIUS) received for an endpoint by PSN1 and saved in local DB.
2. New endpoint so PSN1 declares ownership to local node group over local cluster channel.
3. PSN1 syncs all attributes for endpoint to PAN; PAN creates endpoint in DB.
4. PAN replicates all attributes for the endpoint to all other nodes via Global Replication channel.
5. New profile attributes (DHCP) for same endpoint received by PSN2 in same node group.
6. PSN2 communicates with PSN1 over local cluster channel to determine if change to white list attribute. In this case, yes, so PSN2
requests all attributes for endpoint from PSN1.
7. PSN2 declares ownership change to local node group.
8. PSN2—did significant attribute change? Yes, since profile updated. PSN2 syncs all attributes to PAN.
9. PAN saves to central DB and replicates all attributes to all other secondary nodes in deployment over global channel.
JGroups Overview For Your
Reference
Software for reliable group(cluster) communication
Keeps track of member joins, leaves or crashes and notifies group members
Membership “View” shows who is currently part of the group
Members can send messages to all the members or to specific members and receive messages
Sending messages to all members is called multicast and specific members is called unicast
Supports different transports:
• UDP multicast
• UDP unicast
• TCP mesh
• TCP hub-and-spoke (gossip router); also referred to as tunneled mode
Replication/Global Cluster For Your
Reference
• Replication Cluster is a group with all nodes in the ISE deployment, i.e. PANs, MnTs,
and PSNs
• Mainly used for the replication of configuration and runtime data from Primary PAN
to all other nodes
• Also used by Profiler for fetching attributes from current owner and updating
endpoint ownership changes; for example, when node is not a node group member
or loses connection to its local node group.
• Uses TCP Hub and Spoke (Gossip Router) transport with Primary PAN as the hub over
port TCP/12001
• All nodes should have connectivity to TCP/12001 on both Primary and Secondary
PAN
ISE Inter-Node Communications For Your
Reference
Database Operations
MnT (P) MnT (S)

TCP/443 HTTPS (SOAP)
Admin (P) Admin (S)
PSN1 PSN2
PSN3
Inter-Node Communications
TCP/12001 JGroups Tunneled
JGroup Connections – Global Cluster
MnT (P) MnT (S)
• All Secondary nodes* establish
connection to Primary PAN (JGroup
Controller) over tunneled connection
(TCP/12001) for config/database sync.
• Secondary Admin also listens on
Admin (P) Admin (S) TCP/12001 but no connection established
GLOBAL unless primary fails/secondary promoted
JGROUP
CONTROLLER • All Secondary nodes participate in the
Global JGroup cluster.
PSN1 PSN2
*Secondary node = All nodes except

Primary Admin node; includes PSNs,
PSN3
MnT, pxGrid, and Secondary Admin
nodes
Inter-Node Communications TCP/7800 JGroup Peer Communication
JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled
MnT (P) MnT (S)

• Node Groups can be used to define local
JGroup* clusters where members
exchange heartbeat and sync profile data
over SSL (TLS v1.2).
• PSN claims endpoint ownership only if
Admin (P) Admin (S) change
PSN1 is in whitelist
current attribute;
endpoint triggers
owner – no
GLOBAL ownership update to local PSNs. Whitelist
DHCP database replication even if whitelist
JGROUP Profile
Update check always occurschanges
attribute regardless of global
CONTROLLER Change
t=1
t=0 whitelist filter.
Fetch Attributes • Replication to PAN occurs if significant
PSN1 PSN2
PSN2 getschanges,
attribute more current update
then sync for
all attributes
LOCAL Change same endpoint and takes ownership
JGROUP
via PAN; if whitelist filter enabled, only
Ownership – fetches all attributes from PSN1
CONTROLLER NODE GROUP A whitelist attributes synced to all nodes.
(JGROUP A)
PSN3
*JGroups: Java toolkit for reliable multicast
communications between group/cluster members.252
BRKSEC-3432 #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE 2.1 Inter-Node Communications For Your
Reference
Consolidated View for Database Operations
TCP/443 HTTPS (SOAP) – Node Up/Down
MnT (P) MnT (S)
Notification, Session Retrieval
TCP/7800 TLS – JGroup Member Discovery,
JGroup Responses/Status, Ownership Change,
Endpoint Attribute Retrieval, Failure Detection
TCP/12001 JGroups Tunneled (Global)
TCP/1528 Oracle DB (Secure JDBC)
Admin (P) Admin (S)
PSN1 PSN2
NODE GROUP A
(JGROUP A)
PSN3
Local JGroups and Node Groups For Your
Reference
TCP/12001 JGroups Tunneled
• General classification data for given endpoint should stay local

to node group = whitelist attributes • Node groups continue to provide original
• Only certain critical data needs to be shared across entire function of session recovery for failed PSN.
deployment = significant attributes • Profiling sync leverages JGroup channel
• Each LB cluster should be a node group, but LB
LB is NOT a
Load is NOT required for node groups.
requirement for
Balancer
Node Group
NODE GROUP A • Node group members should have GE LAN
(JGROUP A) connectivity (L2 or L3)
• ISE 2.0+ uses TLSv1.2
• Reduces sync updates even if different PSNs
PSN1 PSN2 receive data – expect few whitelist changes
L2 or L3 LAN and even fewer critical attribute changes.
Switching
PSN3
MnT (P) MnT (S)
Admin (P) Admin (S)
• Profiling sync leverages JGroup channels

• All replication outside node group must traverse
PAN—including Ownership Change!
• If Local JGroup fails, then nodes fall back to Global
JGroup communication channel.
PSN1 PSN2 PSN4 PSN5

L2 or L3
NODE GROUP A NODE GROUP B
(JGROUP A) (JGROUP B)
PSN3
PSN6
Periodic Sync For Your
Reference
Normalize endpoint attributes between Redis and Oracle
• Approximately every 12 hrs, PSNs sync endpoint attributes with Primary PAN.
• Related Bug IDs:
• CSCuz44971 ISE 1.3 Inconsistent Endpoint inactivity timer causing purge issues
• CSCuu60871 Profiler: DNS Reverse Lookup Averted if less than 1 hour
• Solution:
• Periodically synchronize Oracle with the current endpoint owner's Redis cache so that Oracle information is
reasonably up to date. In order for this not to swamp the deployment with replication traffic, period syncs
of endpoint data to the PAN will be done without replicating the endpoint to all of the PSNs. The result is
that the PAN will have reasonably up-to-date information, while the PSNs will have the same stale
endpoint data that they have now. To make sure purging happens with reasonably accurate information,
PSNs will fetch endpoint data either from the local cache or from the PAN. If the endpoint cannot be
read from either source, then it will be skipped during that purge cycle.
Node Groups and Session Recovery
Dynamic Clean Up for Orphaned URL-Redirected Sessions
Primary Primary
PAN PSN3 not responding!
MnT
Hey Primary MnT!
Did PSN3 have any active
sessions with pending
redirect?
JGroup “Master”
CoA Session
Terminate
PSN1 PSN2
RADIUS
Portal Redirect to
PSN3 PSN3
TCP/7802 JGroup Failure Detection
MnT (P) MnT (S)
Admin (P) Admin (S)

For Your
Reference
PSN1 PSN2 PSN4 PSN5

L2 or L3
NODE GROUP A NODE GROUP B
(JGROUP A) (JGROUP B)
PSN3
PSN6
DNS: tcp-udp/53
NTP: udp/123
ISE 2.4 Node Communications Repository: FTP, SFTP, NFS,

HTTP, HTTPS
File Copy: FTP, SCP, SFTP, TFTP
For Your
Reference
pxGrid (Bulk Download): tcp/8910
pxGrid: tcp/5222
Syslog: udp/20514, tcp/1468
pxGrid Client PXG Secure Syslog: tcp/6514
NetFlow for TS: udp/9993 NADs
pxGrid: tcp/5222
Email/ MNT RADIUS Auth: udp/1645,1812
SMS RADIUS Acct: udp/1646,1813
Gateways SMTP:
RADIUS CoA: udp/1700,3799
Logging RADSEC DTLS: udp/2083
tcp/25
HTTPS; tcp/443 HTTPS: tcp/443 RADIUS/IPsec: udp/500
Syslog: udp/20514, tcp/1468 Syslog: udp/20514, tcp/1468 TACACS+: tcp/49 (configurable)
Secure Syslog: tcp/6514 Secure Syslog: tcp/6514 WebAuth: tcp:443,8443
Oracle DB (Secure JDBC): tcp/1528 CoA (REST API): udp/1700 SNMP: udp/161
pxGrid: tcp/5222 SNMP Trap: udp/162
SMTP: tcp/25 JGroups: tcp/12001 (MnT to PAN)
JGroups: tcp/12001 NetFlow: udp/9996
(PPAN: email
expiry notifiy) DHCP:udp/67, udp/68 MDM
PSN DHCPv6: udp/547 Partner
HTTPS: tcp/443 SPAN:tcp/80,8080
JGroups: tcp/12001 (PSN to PAN) SXP: tcp/64999 MDM API: tcp/XXX
Syslog: udp/20514, tcp/1468 (vendor specific)
CoA (Admin/Guest Limit): udp/1700 OCSP: tcp/2560
Secure Syslog: tcp/6514
SNMP Traps: udp/162
PAN CA SCEP: tcp/9090
Query Attributes TC-NAC: tcp/443 Threat/VA

Server
LDAP: tcp-udp/389, tcp/3268
GUI: tcp/80,443 Guest: tcp/8443
SMB:tcp/445
Posture Updates/Smart SSH: tcp/22 Discovery: tcp/8443, tcp/8905
KDC:tcp-udp/88; KPASS: tcp/464 Inter-Node Communications
Sponsor (PSN): tcp/8443 Agent Install: tcp/8443
Licensing: tcp/443 SCEP: tcp/80, tcp/443; EST: tcp/8084 Admin(P) - Admin(S): tcp/443,
SNMP: udp/161 Posture Agent: tcp/8905; udp/8905
Profiler Feed: tcp/8443 OCSP: tcp/80; tcp/12001(JGroups)
REST API (MnT): tcp/443 PRA/KA: tcp/8905
CRL: tcp/80, tcp/443, tcp/389
ERS API: tcp/9060 DNS: udp/53; DHCP:udp/67 Monitor(P) - Monitor(S): tcp/443,
ODBC (configurable):
WMI Client Probe: tcp/135, tcp/445 udp/20514 (Syslog)
Cloud Services Microsoft SQL: tcp/1433
Kerberos (SPAN): tcp/88
Cisco.com/Perfigo.com Admin->Sponsor:
SCEP Proxy: tcp/80, tcp/443
Sybase: tcp/2638 PIP Policy - Policy:
Profiler Feed Service tcp/9002 PortgreSQL: tcp/5432
EST: tcp/8084 Node Groups/JGroups: tcp/7800
MDM & App Stores Wireless Setup Oracle: tcp/1512
Proxy CoA: udp/1700
Push Notification Wizard: tcp/9103 TS-Agent: tcp/9094
Admin / PSN-SXPSN: tcp/443
Smart Licesing AD Agent: tcp/9095
Sponsor IdP: tcp/XXX
WMI: tcp/135
(Vendor specific) pxGrid - pxGrid: tcp/5222
BRKSEC-3432 IdP SSO Server Endpoint
DNS: tcp-udp/53
NTP: udp/123
ISE 2.4 Node Communications Repository: FTP, SFTP, NFS, HTTP,

HTTPS
pxGrid: tcp/5222
pxGrid PXG Secure Syslog: tcp/6514
Subscriber/Pu NetFlow for TS: udp/9993 NADs
blisher pxGrid: tcp/5222
MNT RADIUS Auth: udp/1645,1812
Email/SMS RADIUS Acct: udp/1646,1813
Gateways SMTP:t RADIUS CoA: udp/1700,3799
cp/25
pxGrid: tcp/5222
SMTP: tcp/25 JGroups: tcp/12001 (MnT to PAN) SNMP Trap: udp/162
JGroups: tcp/12001
(PPAN: email NetFlow: udp/9996
Secure Syslog: tcp/6514 PAN CA SCEP: tcp/9090
SNMP Traps: udp/162

Server
GUI: tcp/80,443 Guest: tcp/8443
SMB:tcp/445
Posture Updates/Smart SSH: tcp/22 Discovery: tcp/8443, tcp/8905
KDC:tcp-udp/88; KPASS: tcp/464 Inter-Node Communications
Sponsor (PSN): tcp/8443 Agent Install: tcp/8443
Licensing: tcp/443 SCEP: tcp/80, tcp/443; EST: tcp/8084 Admin(P) - Admin(S): tcp/443,
SNMP: udp/161 Posture Agent: tcp/8905; udp/8905
Profiler Feed: tcp/8443 OCSP: tcp/80; tcp/12001(JGroups)
CRL: tcp/80, tcp/443, tcp/389
ERS API: tcp/9060 DNS: udp/53; DHCP:udp/67 Monitor(P) - Monitor(S): tcp/443,
ODBC (configurable):
WMI Client Probe: tcp/135, tcp/445
Cloud Services Microsoft SQL: tcp/1433 udp/20514 (Syslog)
Kerberos (SPAN): tcp/88
Cisco.com/Perfigo.com Admin->Sponsor: Sybase: tcp/2638
SCEP Proxy: tcp/80, tcp/443 Policy - Policy:
EST: tcp/8084 Node Groups/JGroups: tcp/7800
MDM & App Stores Wireless Setup Oracle: tcp/1512 PIP Proxy CoA: udp/1700
Admin / PSN-SXPSN: tcp/443
Smart Licesing IdP: tcp/XXX AD Agent: tcp/9095
Sponsor WMI: tcp/135
(Vendor specific) pxGrid - pxGrid: tcp/5222
IdP SSO Server Endpoint
BRKSEC-3432
DNS: tcp-udp/53
NTP: udp/123
ISE 2.6 Node Communications Repository: FTP, SFTP, NFS, HTTP,

HTTPS
pxGrid: tcp/5222
pxGrid PXG Secure Syslog: tcp/6514
Subscriber/Pu NetFlow for TS: udp/9993 NADs
blisher pxGrid: tcp/5222
MNT RADIUS Auth: udp/1645,1812
Email/SMS RADIUS Acct: udp/1646,1813
Gateways SMTP:t RADIUS CoA: udp/1700,3799
cp/25
pxGrid: tcp/5222
SMTP: tcp/25 JGroups: tcp/12001 (MnT to PAN) SNMP Trap: udp/162
JGroups: tcp/12001
(PPAN: email NetFlow: udp/9996
Secure Syslog: tcp/6514 PAN CA SCEP: tcp/9090
SNMP Traps: udp/162

Server
GUI: tcp/80,443 Guest: tcp/8443 Inter-Node Communications
SMB:tcp/445
SSH: tcp/22 Discovery: tcp/8443, tcp/8905
Posture Updates/Smart KDC:tcp-udp/88; KPASS: tcp/464
Sponsor (PSN): tcp/8443 Agent Install: tcp/8443 Admin(P) - Admin(S): tcp/443,
Licensing: tcp/443 SCEP: tcp/80, tcp/443; EST: tcp/8084
SNMP: udp/161 Posture Agent: tcp/8905; udp/8905 tcp/12001(JGroups)
Profiler Feed: tcp/8443 OCSP: tcp/80;
CRL: tcp/80, tcp/443, tcp/389 Monitor(P) - Monitor(S): tcp/443,
ERS API: tcp/9060 DNS: udp/53; DHCP:udp/67
ODBC (configurable): udp/20514 (Syslog)
WMI Client Probe: tcp/135, tcp/445
Cloud Services Microsoft SQL: tcp/1433
Kerberos (SPAN): tcp/88 Policy - Policy:
Cisco.com/Perfigo.com Admin->Sponsor: Sybase: tcp/2638
SCEP Proxy: tcp/80, tcp/443 Node Groups/JGroups: tcp/7800
EST: tcp/8084
MDM & App Stores Wireless Setup Oracle: tcp/1512 PIP Proxy CoA: udp/1700
PSN-SXPSN: tcp/443
Admin /
Smart Licesing IdP: tcp/XXX AD Agent: tcp/9095
Sponsor WMI: tcp/135 pxGrid - pxGrid: tcp/5222
(Vendor specific)
Syslog: udp/40514, tcp/11468 All nodes - AMQPS: tcp/8671
IdP SSO Server Endpoint intranode- AMQ: tcp/8672
BRKSEC-3432 #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
15672 for messaging 261
For Your
Reference
AD Connector Ports
Protocol Port Authenticated Notes
DNS (TCP/UDP) 53 No May use DNSSEC
MSRPC (TCP) 445 Yes
Kerberos (TCP/UDP) 88 Yes (Kerberos) MS AD/KDC
Kpasswd 464 No
LDAP (TCP/UDP) 389 Yes. Encrypted & Authenticated with Just like native MS
SASL, not LDAP/S Domain Member
Global Catalog (TCP) 3268 Yes. Encrypted & Authenticated with Just like native MS
SASL, not LDAP/S Domain Member
NTP 123 No
IPC 80 Yes, using creds from RBAC system. ISE REST Library
Profiling and Data Replication PAN(S)
Before Tuning PAN(Primary)
MNT(P) MNT(S)
Node Group = DC1-group Node Group = DC2-group

3 1 2 4 5
PSN Clusters PSN
RADIUS Auth DHCP 1 DHCP 2

NMAP
RADIUS Acctng pxGrid
Ownership
# Change
Global
Replication
Impact of Ownership Changes
Before Tuning
PAN(Primary)
Owner? Owner? Owner? Owner? Owner?

PSN Clusters PSN
RADIUS Auth DHCP 1 DHCP 2

NMAP
Profiling and Data Replication PAN(S)
After Tuning PAN(Primary)
MNT(P) MNT(S)
Node Group = DC1-group Node Group = DC2-group 2

1
PSN Clusters PSN
DHCP 1
RADIUS Auth
NMAP
Ownership
# Change
Global
Replication
Impact of Ownership Changes
After Tuning PAN(Primary)
Owner
PSN Clusters PSN
DHCP 1
RADIUS Auth
NMAP
ISE Profiling Best Practices
Whenever Possible…
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
Do
• NOT
Sending send
same profile dataprofile data
to multiple PSNs tointer-PSN
increases multipletraffic and PSNs
contention!for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using…
• DHCP IP Helpers
DO send profile data to single and same PSN or Node
• SNMP Traps
• DHCP/HTTP with ERSPAN (Requires validation)
•
Group !
Ensure profile data for a given endpoint is sent to the same PSN
• Same issue as above, but not always possible across different probes
• DOnode
Use usegroups
Device Sensor
and ensure ! data for a given endpoint is sent to same node group.
profile
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
• DO enable
Avoid probes thatthe Profiler
collect the sameAttribute Filter
endpoint attributes !
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices For Your
Reference
Whenever Possible…
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
• Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using…
• DHCP IP Helpers
• SNMP Traps
• DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN
• Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node group.
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
• Avoid probes that collect the same endpoint attributes
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices
General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent SPAN/tap options or
VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
Do
•UseNOT
IP Helpersenable all aware
when possible—be probes by serving
that L3 device default ! not relay DHCP for same!
DHCP will
• Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• Avoid SPAN, SNMP Traps, and NetFlow probes !
SNMP Probe:
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.
Limit pxGrid probe to two PSNs max for HA – possibly dedicated !
• NetFlow Probe:
• Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
• pxGrid Probe:
• Limit # PSNs enabled for pxGrid as each becomes a Subscriber to same data. 2 needed for redundancy.
• Dedicate PSNs for pxGrid Probe if high-volume data from Publishers.
ISE Profiling Best Practices For Your
Reference
General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent SPAN/tap options or
VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
• Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
• Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• SNMP Probe:
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.
• NetFlow Probe:
• Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
• pxGrid Probe
• Limit # PSNs enabled for pxGrid as each becomes a Subscriber to same data. 2 needed for redundancy.
• Dedicate PSNs for pxGrid Probe if high-volume data from Publishers.
Profiling Redundancy – Duplicating Profile Data
Different DHCP Addresses
- Provides Redundancy but Leads to Contention for Ownership = Replication
• Common config is to duplicate IP helper data
PSN-CLUSTER1 PSN1 (10.1.99.5)
at each NAD to two different PSNs or PSN LB (10.1.98.8)
Clusters
PSN2 (10.1.99.6)
• Different PSNs receive data
Load Balancer
DC #1 PSN3 (10.1.99.7)
int Vlan10
DHCP Request
User DC #2 (10.2.100.2)
PSN2 (10.2.101.6)
interface Vlan10 Load Balancer

ip helper-address <real_DHCP_Server> PSN3 (10.2.101.7)
ip helper-address 10.1.98.8
ip helper-address 10.2.100.2 Note: LB depicted, but NOT required
Scaling Profiling and Replication
Single DHCP VIP Address using Anycast
- Limit Profile Data to a Single PSN and Node Group
• Different PSNs or Load Balancer VIPs host same PSN-CLUSTER1 PSN1 (10.1.99.5)
target IP for DHCP profile data (10.1.98.8)
• Routing metrics determine which PSN PSN2 (10.1.99.6)
or LB VIP receives DHCP from NAD
Load Balancer
DC #1 PSN3 (10.1.99.7)
int Vlan10
DHCP Request
User DC #2
(10.1.98.8)
PSN2 (10.2.101.6)
interface Vlan10 Load Balancer

PSN3 (10.2.101.7)
ip helper-address <real_DHCP_Server>
ip helper-address 10.1.98.8
Note: LB depicted, but NOT required
Profiler Tuning for Polled SNMP Query Probe
• Set specific PSNs to
periodically poll access
devices for SNMP data. Auto-Recovery when PSN
fails fixed in ISE 2.4
• Choose PSN closest
to access device.
28,800 sec (8 hours)

PSN2 *Minimum recommended
(Asia) polling interval
PSN1 SNMP Polling
(Amer) (Auto)
RADIUS
Switch
Profiler Tuning for Polled SNMP Query Probe For Your
Reference
Disable/uncheck SNMP Settings: Disables

• Polling Interval all SNMP polling options [CSCur95329]
1.2 Default: 3600 sec
(1 hour)
1.3 Default: 28,800 sec
(8 hours) *Recommend
minimum for all releases
• Setting of “0”: Disables
periodic poll but allows
triggered & NMAP queries Polled Mode = “Catch All”
[CSCur95329]
• Triggered SNMP query auto-
suppressed for
24 hrs per endpoint
#CLMEL BRKSEC-3432
274
pxGrid Profiler Probe (Context In)
First Integration is with Industrial Network Director (IND)
• IND communicates with Industrial Switches and Security Devices and collects detailed
information about the connected manufacturing devices.
• IND vX adds pxGrid Publisher interface to communicate IoT attributes to ISE.
IND ISE
• MAC Address Profiler Attributes
• IP Address Publisher • MAC Address
Subscriber
• iotAssetDeviceType • IP Address
• iotAssetProductCode • iotAssetDeviceType
• iotAssetProductName • iotAssetProductCode
• iotAssetRetrievedFrom • iotAssetProductName
• iotAssetSerialNumber • iotAssetRetrievedFrom
• iotAssetTrustLevel • iotAssetSerialNumber
• iotAssetTrustLevel
• iotAssetVendorName pxGrid
Controller • iotAssetVendorName
• iotAssetVendorID
• iotAssetVendorID
• iotAssetSwRevision • iotAssetSwRevision
• iotAssetHwRevision • iotAssetHwRevision
• iotAssetProtocol • iotAssetProtocol
• iotAssetBusinessOwner Custom Attributes • iotAssetBusinessOwner
• iotAssetLocation • iotAssetLocation
• iotAssetTag Supported !!! • iotAssetTag
pxGrid Profiler Probe (Context In)
First Integration with Cisco Industrial Network Director (IND)
• IND communicates with Industrial Switches and Security Devices and collects detailed information about the
connected manufacturing devices.
• IND v1.3 adds pxGrid Publisher interface to communicate IoT attributes to ISE.
IND Asset Inventory ISE Profiler Attributes

Publisher Subscriber iotMacAddress
iotIpAddress
iotName
pxGrid iotVendor
iotProductId
iotSerialNumber
iotDeviceType
iotSwRevision
iotHwRevision
iotProtocol
Custom Attributes iotConnectedLinks
Supported !!! iotCustomAttributes
pxGrid ISE Subscription • Service name: com.cisco.endpoint.asset
• Topic: /topic/com.cisco.endpoint.asset
Web Clients (pxGrid v2 Clients)
For Your
ISE as pxGrid Subscriber to Reference
IND as pxGrid Publisher
Endpoint Asset topic
/topic/com.cisco.endp..
/topic/com.cisco.endpoint.asset
pxGrid Profiler Probe For Your
Reference
Recommend limit probe to

two PSNs (2 for HA).
Each PSN becomes a
pxGrid Subscriber to IND
Asset topic
Profiler Conditions Based on Custom Attributes
Profiling Based on Custom Attributes
Performance Hit if too many attibrutes, Disabled By Default
• Global Setting MUST be

enabled
• If disabled:
• Custom Attributes are
NOT updated over pxGrid
• Profiler ignores any
conditions based on
Customer Attributes,
even if Custom Attribute
is populated.
ISE 2.4 - New Profile Policies by the Numbers
Delivered Via Feed Service
• New Profiles: ▪ Updated Profiles:

• Xerox – 45 ▪ Xerox – 140
• HP – 139 ▪ HP – 37
• Brother – 174 ▪ Brother – 4
• Cisco AP – 4 ▪ Lexmark – 4
• Fingerbank – 36
• Audio Code – 7
Total = 185
• Lexmark - 187
• Customer – 38
Total = 630
ISE 2.4 New Profiles For Your
Reference
Hierarchy Update
• Original issue: When new Printer model introduced, just gets profiled as
generic device such as Xerox-Device, or HP-Device.
• With new hierarchy, when a new Xerox Phaser Printer, for example, is released,
it is profiled as Xerox Phaser Printer, and later updated via Feed to specific
model.
• Hierarchy repeated for other printer company products (Xerox, HP, Brother,
Lexmark). Example:
• HP Printers: HP-Device > HP-Printer > [HP-Brand-Printer] > [Specific-HP-Brand-
Printer]
Printer Profile Hierachy For Your
Reference
New Profiles and Optimized Categories
BEFORE AFTER
New and Updated IoT Profile Libraries
Delivered via ISE Community: https://community.cisco.com/t5/security-documents/ise-endpoint-profiles/ta-p/3641187
• Automation and Control

• Industrial / Manufacturing
• Building Automation
• Power / Lighting
• Transportation / Logistics
• Financial (ATM, Vending, PoS, eCommerce)
• IP Camera / Audio-Video / Surveillance and Access Control
• Other (Defense, HVAC, Elevators, etc)
• Windows Embedded
• Medical NAC Profile Library – Updated
700+ Automation and Control Profiles (1000+ inc. MedNAC)
Automation and Control Profile Library For Your
Reference
https://communities.cisco.com/docs/DOC-66340
• List posted profiles:

https://communities.cisco.co
m
/tags/ise-endpoint-profile
Why Do I Care about # Profiles?
• ISE 2.1 supports a MAX of 2000 profiles
• Let’s Do the Math…
• ~600 Base Profiles
• 600+ New Feed Profiles (2.4)
• 300+ Medical NAC Profiles
• 700+ Automation & Control Profiles
--------------------------------------
2300+ Profiles
• No restrictions on profile import, so must check #

profiles in library before import large batch of
new profiles.
Profiling Bandwidth For Your
Reference
Factors Impacting Bandwidth Consumption for Profiling (Not Logging/Replication)
• Profiling traffic will be probe specific and dependent on many factors including:
• RADIUS Probe itself does not consume additional bandwidth unless tied to Device Sensor.
• RADIUS traffic generated by Device Sensor will depend on switch DS config, i.e. all events or only changes, functions enabled, and filters set.
• SNMP Query is based on configured polling interval (NAD based) and NAD sizes (for example, bigger switches with more active ports/connections will result in higher
SNMP bandwidth).
• SNMP Query (Port based) can also be triggered by SNMP Traps or RADIUS Accounting State, but current code should limit to one query per 24hrs.
• SNMP Traps will depend on # endpoints and connection events. Note that SNMP trap processing only supported for Wired.
• DHCP-related profile traffic will be dependent on lease timers and connection and reauth rates. Reauth rates can be triggers by idle and session timers or CoA where
session terminates/port bounces and triggers DHCP). Traffic is multiplied by the number of PSN targets configured which is why I advocate limiting targets to no more
than two or possibly one using Anycast.
• DHCP SPAN option will likely consume more bandwidth, especially if not filtered on DHCP only, as it collects all DHCP including bidirectional traffic flows. Also, since
no simple methods for SPAN HA, may need to send multiple SPANs to different PSNs (not pretty and another reason why I don’t generally recommend SPAN option).
• HTTP via redirects does not consume additional bandwidth
• HTTP via SPAN may consume a lot of bandwidth and will depend on SPAN config, where placed, traffic volume, and whether capture is filtered for only HTTP. Note,
we will not parse HTTPS SPAN traffic. Like DHCP SPAN, multiple targets required for redundancy.
• NMAP is triggered, but only 3 attempts on newly discovered Unknowns or policy triggered. Additional endpoint SNMP queries will be endpoint specific. For most
part, it should be fairly quiet. There is manual nmap scan option, but this should be used with care to avoid excessive ISE or network load. As manual process,
requires deliberate admin trigger.
• DNS is triggered based on new IP discovery, but for most part should be quiet.
• Netflow can add a large amount of traffic and highly dependent on Netflow config on source and the traffic volume. Like SPAN challenges, volume is multiple by #
PSN Netflow targets unless leverage something like Anycast for redundancy.
#CLMEL BRKSEC-3432
BRKSEC-3432
Scaling MnT
(Optimize Logging and
Noise Suppression)
Session Agenda
MnT (Optimize Logging and Noise Suppression) You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
The Fall Out From the Mobile Explosion and IoT
▪ Explosion in number and type of endpoints on the network.
▪ High auth rates from mobile devices—many personal (unmanaged).
– Short-lived connections: Continuous sleep/hibernation to conserve battery power, roaming, …
▪ Misbehaving supplicants: Unmanaged endpoints from numerous mobile vendors may be misconfigured, missing
root CA certificates, or running less-than-optimal OS versions
▪ Misconfigured NADs. Often timeouts too low & misbehaving clients go unchecked/not throttled.
▪ Misconfigured Load Balancers—Suboptimal persistence and excessive RADIUS health probes.
▪ Increased logging from Authentication, Profiling, NADs, Guest Activity, …
▪ System not originally built to scale to new loads.
▪ End user behavior when above issues occur.
▪ Bugs in client, NAD, or ISE.
Advice: Sizing
Endpoint Behavior
=1x
• Different Endpoints behave
differently on a network
• Because of this we need to consider
the types of endpoints when sizing
deployments =2x
• Mobile (handheld) devices are the
most demanding due to
wireless/power restrictions
• Based on observations from many
deployments, a 1x/2x/5x ratio is a
good rule of thumb
=5x
Advice: Sizing
Mobile devices typically have…
• Less RF Output power
• Fewer/Smaller Antennas
• Lack support for multiple bands 2.4/5

GHz (some models)
Advice: Sizing
As a Result…
• Roam more often (up to 5x)
• Roam more aggressively
• Repeated Sleep/Wake Cycles to

conserve battery.
A Few Bad Apples Can Spoil the Whole Bunch
Repeats Every 30 Seconds For Your
Reference
Client/Supplicant NAD ISE
SSID
Step 1: Due to Reauthentication, or Coming back to Campus… New Connection Request
Step 2: Certificate sent to Supplicant
Client Rejects Cert
30 seconds
Step 1: New Connection Request
Step 2: Certificate sent to Supplicant
Client Rejects Cert
30 seconds
First EAP Timeout 120sec
30 Seconds Later
No Response Received From Client For Your
Reference
What might this do to MnT logging??
Clients Misbehave!
• Example education customer:
• ONLY 6,000 Endpoints (all BYOD style)
• 10M Auths / 9M Failures in a 24 hours!
• 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
• Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo, Apple, Intel,
Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
Challenge: How to reduce
the flood of log messages
while increasing PSN and MnT
MNT capacity and tolerance
Getting More Information With Less Data
Scaling to Meet Current and Next Generation Logging Demands
Rate Limiting at Source Filtering at Receiving Chain
Reauth period Heartbeat Detect and reject Count and discard repeate
Quiet-period 5 min frequency misbehaving clients events
Held-period / Exclusion 5 min
Switch Log Filter Count and discard
untrusted events
Reauth phones Load
Balancer PSN MNT
Quiet period
Unknown users WLC

Quiet
Period LB Health Filter health
Reject
probes bad probes from
Roaming
supplicant logging
supplicant Client Exclusion Count and discard
repeats and unknown
NAD events
Misbehaving supplicant
BRKSEC-2059
Tune NAD Configuration Deploying ISE in a Dynamic Environment
Rate Limiting at Wireless Source Clark Gambrel
Reauth period Wireless (WLC)

Quiet-period 5 min
• RADIUS Server Timeout: Increase from default of 2 to 5 sec
Held-period / Exclusion 5 min
• RADIUS Aggressive-Failover: Disable aggressive failover
• RADIUS Interim Accounting: v7.6: Disable; v8.0+: Enable with interval of 0.

Reauth phones (Update auto-sent on DHCP lease or Device Sensor)
• Idle Timer: Increase to 1 hour (3600 sec) for secure SSIDs
Unknown users WLC • Session Timeout: Increase to 2+ hours (7200+ sec)
Quiet
Period
• Client Exclusion: Enable and set exclusion timeout to 180+ sec
Roaming supplicant
• Roaming: Enable CCKM / SKC / 802.11r (when feasible)
Client Exclusion
• Bugfixes: Upgrade WLC software to address critical defects
Misbehaving supplicant Prevent Large-Scale Wireless RADIUS Network Melt Downs

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
Public Doc on Recommended Wireless Settings
For Your
Reference
Prevent Large-Scale Wireless RADIUS Network Melt Downs
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
Wired & Wireless recommended links
Best Practices and Guides
• Top 6 settings for AireOS and ISE Wireless
• ISE and Catalyst 9800 series integration guide
• ISE Guest Access Prescriptive Deployment Guide
• Cisco ISE BYOD Prescriptive Deployment Guide
• ISE Secure Wired Access Prescriptive Deployment Guide
One-Click Setup for ISE Best Practice Config
• Checkbox to auto-
configure WLAN and
associated RADIUS
Servers to ISE best
practice.
WLC – RADIUS Server Settings For Your
Reference
Note: Diagrams show default values

RADIUS Server Timeout
• WLC default to receive response from the RADIUS Server is 2 sec; max=30
seconds
• Recommend increase to larger value, for example 5 sec.
RADIUS Aggressive-Failover
• (Cisco Controller)>config radius aggressive-failover disable
• If this is set to 'enable‘ (default), the WLC will failover to next server after 5
retransmissions for a given client.
• Recommend disable to prevent single misbehaving client from failing over and
disrupting other client sessions
unless there are 3 consecutive tries for 3 different users (i.e. the radius-server is
unresponsive for multiple users).
RADIUS Interim Accounting

• v7.x: Recommend disable (default setting). If required,
increase default from 600 sec to 900 sec (15 minutes) WLAN > Security > AAA Servers
• v8.x: Recommend enable with Interval set to 0.
RADIUS Accounting Update Behavior in WLC v8.x
Interim Update For Your
Reference
• WLC 7.6:
• Recommended setting: Disabled
• Behavior: Only send update on IP address
change
• Device Sensor updates not impacted
• WLC 8.0:
• Recommended setting: Enabled with
Interval set to 0
• Behavior: Only send update on IP address
change
• Device Sensor updates not impacted
• Upgrade maps settings correctly
For Your
Reference
WLC – Authentication Settings
Reduce the # Auths and ReAuths
• Increase Idle Timer to 1 hour (3600
sec) for secure (802.1X) SSIDs.
• Open SSIDs may require lower idle
timer to prevent overload from casual
associations.
• Increase reauth/session timers to

2+ hrs (7200+ sec)

WLC – Client Exclusion For Your
Reference
Blacklist Misconfigured or Malicious Clients
• Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X

authentication attempt, after three consecutive failures.
• Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication
attempt, after three consecutive failures.
• Client excluded for Time Value specified in WLAN settings. Recommend increase to
1-5 min (60-300 sec). 3 min is a good start.

For Your
Wireless Roaming Reference
Key Caching to Avoid Reauth when Roaming
• 802.11r (aka Fast Transition)

– Enable where supported and feasible;
For example, large Apple deployments.
– Apple support added in iOS6
• CCKM - Cisco Centralized Key Management
– Clients must support CCKM; CCXv4 feature
• SKC (Sticky PMKID Caching)
– Requires WLC 7.2
– Works only with WPA2 WLANs
– Recommended if clients do not support CCKM
or OKC (Opportunistic PMKID Caching)
> config wlan security wpa wpa2 cache sticky enable wlan_id
Which WLC Software Should I Deploy?
8.0.152.0 – Currently the most mature and reliable release.
8.2.167.6 – Mature - Recommended when need new feature/hardware support.
8.3.141.0 – Less Mature – Recommend if require new features in 8.3.x
8.5.124.55 – Cutting edge – Recommend if require new features in 8.5.x
8.6.101.0 – Bleeding edge – Only if absolutely require new features in 8.6.x
8.7.102.0 – Only if absolutely require new features in 8.7.x
Example critical defects resolved in maintenance and new releases:
CDETS Title
CSCul83594 Session-id is not synchronized across mobility, if the network is open (fixed in 8.6)
CSCuu82607 Evaluation of all for OpenSSL June 2015
CSCuu68490 duplicate radius-acct update message sent while roaming
CSCus61445 DNS ACL on wlc is not working - AP not Send DTLS to WLC
CSCuq48218 Cisco WLC cannot process multiple sub-attributes in single RADIUS VSA
CSCuo09947 RADIUS AVP #44 (Acct-Session-ID) to be sent in RADIUS authentication messages
TAC Recommended AireOS Builds For Your
Reference
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/
200046-TAC-Recommended-AireOS.html
• Recommended Releases: This document describes the way in which the customers can find the most reliable
WLC software available. The Cisco Wireless TAC recommends AireOS builds from each train of released AireOS
software. These recommendations may be updated weekly.
• Escalation Builds: In some cases, the TAC recommended build may be an "escalation" build. Such builds are not
available on CCO (Cisco.com), but have important bugfixes (beyond what is available in CCO code), and will have
been operating in production at customer sites for several weeks. Such builds are fully Business Unit (BU) and
TAC supported.
• To request a TAC recommended escalation build, open a Cisco TAC case on your WLC contract.
• AireOS 7.6: Not recommended. The recommended migration path is to AireOS 8.0.
• AireOS 8.0: TAC recommends 8.0.152.0.
• AireOS 8.1: 8.1.131.0 is final maintenance release of AireOS 8.1. Recommend upgrade to 8.2.
• AireOS 8.2: For new features or hardware after 8.0, TAC recommends 8.2.167.6 (8.2MR7).
• AireOS 8.3: For new features or hardware introduced after 8.2, TAC recommends 8.3.141.0.
• AireOS 8.4: Short lived release with no maintenance planned, and is deferred; 8.5 is recommended.
• AireOS 8.5: For new features or hardware after 8.3, TAC recommends 8.5.124.55 (8.5MR3 interim)
• AireOS 8.6: BU and TAC support the 8.6.101.0 release; required for features avail post 8.5.
• AireOS 8.6: BU and TAC support the 8.7.102.0 release; required for features avail post 8.6.
Wireless Controllers Under Extreme Load (8.1+) For Your
Reference
• 5508 and WISM2

• 8 queues per server (max 17 servers configurable) Server 1 Server2
Queue 1 src port 1 src port 1
• 8510/7510 Queue 2 src port 2 src port 2
• 16 queues per server (max 17 servers configurable) Queue 3 src port 3 src port 3
• For all platforms, each queue = 0-255 unique IDs. Queue 5 src port 5 src port 5
So total 256*8 = 2048 requests/server. Queue 6 src port 6 src port 6
• Example using 5508/WISM2 : Queue 8 src port 8 src port 8
• We will have unique source port per queue.
Related defects:
• Total 8 unique source ports. CSCus51456,CSCur33085
• Queue is selected based on MAC address Hashing. CSCue37368, CSCuj88508
Before 8.1, separate queues added for Auth and Accounting, but all servers share same two queues. (CSCud12582,
CSCul96254)
In 8.1, queues are not divvied or shared between Auth and Accounting–both will have separate queues
For Your
Reference
Wireless Best Practices
Anchor Configurations
• RADIUS Accounting with Anchor Controllers

• Guest Anchors: Disable RADIUS Accounting on Guest Anchor WLAN (Enable on Foreign Only)
• Campus Anchors: In campus roaming scenario where all controllers need to be “primary” for
same SSID, cannot disable RADIUS Accounting.
• Open SSIDs will always issue new session ID with RADIUS accounting update with new ID, so
disconnects original connection and user is re-authenticated.
• CSCul83594 Sev6 - Session-id is not synchronized across mobility if the network is open
• CSCue50944 Sev6 - CWA Mobility Roam Fails to Foreign with MAC Filtering BYOD
Wireless Best Practices For Your
Reference
Roaming Considerations
• Session IDs can change when roam between controllers (L2 or L3 roaming); Going between APs to same
controller should fine.
• Secure SSIDs (802.1X): L2/L3 roaming between controllers should handle without reauth—all roams are
basically symmetric with tunnel back to foreign controller
• Open SSIDs (MAB, WebAuth):
• Avoid multiple controllers with open SSIDs – otherwise, will get new session ID (reauth) regardless if L2 or L3 roam.
[CSCul83594Session-id is not synchronized across mobility, if the network is open (fixed in 8.6)]
• Reauth any time change IP. For open SSID, it will always issue new SSID.
• Options:
• Stateful Controller Switchover
• Deploy higher-capacity controllers instead of many smaller ones.
• 802.11r will work with 7.6 or 8.0 and can be applied to entire WLAN—not tested under 7.6 so warning
provided.
Tune NAD Configuration
Rate Limiting at Wired Source
Reauth period
Wired (IOS / IOS-XE)
Held-period 5 min • RADIUS Interim Accounting: Use newinfo parameter with long interval
Quiet-period / Exclusion 5 min (for example, 24-48 hrs), if available. Otherwise, set 15 mins. If LB
Switch present, set shorter than RADIUS persist time.
Reauth phones • 802.1X Timeouts
• held-period: Increase to 300+ sec
Quiet period • quiet-period: Increase to 300+ sec
Unknown users
• ratelimit-period: Increase to 300+ sec
• Inactivity Timer: Disable or increase to 1+ hours (3600+ sec)
Roaming supplicant
• Session Timeout: Disable or increase to 2+ hours (7200+ sec)
• Reauth Timer: Disable or increase to 2+ hours (7200+ sec)
• Bugfixes: Upgrade software to address critical defects.
Wired – RADIUS Interim Accounting For Your
Reference
All IOS and IOS-XE Platforms
• Command:
switch(config)# aaa accounting update [newinfo] [ periodic number [ jitter maximum max-value ] ]
• Recommendation:
switch(config)# aaa accounting update [newinfo periodic 1440 | periodic 15]
Note: If RADIUS Load Balancing used, set lower than persistence interval to stick with same PSN.
• Reference:
• When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all
users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every
time there is new accounting information to report.
• When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number
(in minutes). The interim accounting record contains all of the accounting information recorded for that user up to the time
the interim accounting record is sent.
• Jitter is used to provide an interval of time between records so that the AAA server does not get overwhelmed by a constant
stream of records. If certain applications require that periodic records be sent at exact intervals, you should disable jitter by
setting it to 0.
Caution: Using the aaa accounting update periodic command can cause heavy congestion when many users
are logged in to the network #CLMEL BRKSEC-3432
BRKSEC-3699 ©©
2019
2019
Cisco
Cisco
and/or
and/or
its its
affiliates.
affiliates.
AllAll
rights
rights
reserved.
reserved.Cisco
CiscoPublic
Public 316
316
Wired - 802.1X Timeout Settings For Your
Reference
• switch(config-if)# dot1x timeout held-period 300 | quiet-period 300 | ratelimit-period 300
held-period seconds Supplicant waits X seconds before resending credentials after a failed attempt.
Default 60.
quiet-period seconds Switch waits X seconds following failed authentication before trying to re-authenticate client.
Default: 120. • Cisco 7600 Default: 60.
ratelimit-period seconds Switch ignores EAPOL-Start packets from clients that authenticated successfully for X seconds.
Default: rate limiting is disabled.
Throttles misconfigured/misbehaving clients:
Quite-Period = 300 sec

= Wait 5 minutes after failed 802.1X auth.
Ratelimit-Period = 300 sec

= Ignore additional auth requests for 5 min. after
successful 802.1X auth.
Reference
Command Details
• Wired - All IOS and IOS XE platforms

held-period seconds Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of
time it will wait before trying to send the credentials again after a failed attempt).
• The range is from 1 to 65535. The default is 60.
quiet-period seconds Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client.
• For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535.
The default is 120.
• For the Cisco 7600 series Switch, the range is from 0 to 65535. The default is 60.
ratelimit-period seconds Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send
EAP-START packets that result in the wasting of switch processing power).
• The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated for the
rate-limit period duration.
• The range is from 1 to 65535. By default, rate limiting is disabled.
Wired – Authentication Settings For Your
Reference
Reduce the # Auths and ReAuths
• Disable or Increase Inactivity Timer to 1+ hours; Disable /increase Reauth to 2+ hours
switch(config-if)# authentication ?
• periodic Enable or Disable Reauthentication for this port
Enable inactivity timer with caution for
• timer Set authentication timer values
non-user / MAB endpoints.
switch(config-if)# authentication timer ?

• inactivity Interval in seconds after which if there
is no activity from the client then it will
be unauthorized (default OFF)
• reauthenticate Time in seconds after which an
automatic re-authentication should
be initiated (default 1 hour)
• On the Server Side (ISE), Idle and

Session / Reauth timers are configured
in the Authorization Profile
RADIUS Test Probes
Reduce Frequency of RADIUS Server Health Checks
Heartbeat • Wired NAD: RADIUS test probe interval set

frequency with idle-time parameter in radius-server
config; Default is 60 minutes
Switch • No action required
Reauth phones Load • Wireless NAD: If configured, WLC only sends

Balancer “active” probe when server marked as dead.
Quiet period • No action required
Unknown users WLC • Load Balancers: Set health probe intervals and
Quiet
Period LB Health
retry values short enough to ensure prompt
probes failover to another server in cluster occurs
Roaming supplicant
Client Exclusion
prior to NAD RADIUS timeout (typically 20-60
sec.) but long enough to avoid excessive test
probes.
NAD RADIUS Test Probes For Your
Reference
IOS Switch Test Probes
• By default, IOS Switches and WLC validate health through active authentications.
• Optional: IOS can send separate RADIUS test probes via idle-time setting.
• Recommendation: Keep default interval = 60 minutes
• Older command syntax :

radius-server host 10.1.98.8 auth-port 1812 acct-port 1813 test
username radtest ignore-acct-port idle-time 120 key cisco123
• Newer command syntax:

radius server psn-cluster1
address ipv4 10.1.98.8 auth-port 1812 acct-port 1813
automate-tester username radtest ignore-acct-port idle-time 120
key cisco123
Load Balancer RADIUS Test Probes
Citrix Example F5 Example
▪ Probe frequency and retry settings: ▪ Probe frequency and retry settings:
– Time interval between probes: – Time interval between probes:
interval seconds # Default: 5 Interval seconds # Default: 10
– Number of retries – Timeout before failure = 3*(interval)+1:
retries number # Default: 3 Timeout seconds # Default: 31
▪ Sample Citrix probe configuration: ▪ Sample F5 RADIUS probe configuration:

Name PSN-Probe
add lb monitor PSN-Probe RADIUS -respCode 2 Type RADIUS
-userName citrix_probe -password citrix123 Interval 10
-radKey cisco123 -LRTM ENABLED –interval 10 Timeout 31
–retries 3 -destPort 1812 Manual Resume No
Check Util Up Yes
▪ Recommended setting: Failover must occur before User Name f5-probe
RADIUS timeout (typically 15-35 sec) while avoiding Password f5-ltm123
excessive probing Secret cisco123
Alias Address * All Addresses
Alias Service Port 1812
#CLMEL Debug No
PSN Noise Suppression and Smarter Logging
Filter Noise and Provide Better Feedback on Authentication Issues
• PSN Collection Filters Detect and reject

misbehaving clients
• PSN Misconfigured Client Dynamic Detection and
Suppression
Log Filter
• PSN Accounting Flood Suppression
• Detect Slow Authentications PSN
PSN
• Enhanced Handling for EAP sessions dropped by
supplicant or Network Access Server (NAS)
• Failure Reason Message and Classification
Reject Filter health
• Identify RADIUS Request From Session Started bad probes from
on Another PSN supplicant logging
• Improved Treatment for Empty NAK List
PSN - Collection Filters
Static Client Suppression
Administration > System > Logging > Collection Filters
• PSN static filter based on
single attribute:
• User Name
• Policy Set Name
• NAS-IP-Address
• Device-IP-Address
• MAC (Calling-Station-ID)
• Filter Messages Based on Auth Result:

• All (Passed/Fail)
• All Failed
• All Passed
• Select Messages to Disable Suppression

for failed auth @PSN and successful auth @MnT
PSN Filtering and Noise Suppression (pre-ISE 2.2)
Misconfigured Client—Dynamic Detection and Suppression For Your
Reference
Administration > System > Settings > Protocols > RADIUS
▪ Flag misbehaving supplicants when

fail auth more than once per Detection Interval
– Alarm sent inc. failure stats each Report Interval
– Stop sending logs for repeat auth failures
for same endpoint during Rejection Interval.
– Successful auth clears flag
▪ Once flagged, if fail auth 5 more times of same
failure reason→ Access-Reject
– Match these • Calling-Station-ID (MAC Addr)
attributes: • NAS-IP-Address (NAD)
• Failure reason
– Excludes CoA messages / bad credentials
– Next request after interval is fully processed.
CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes (from 30 minutes)
PSN Filtering and Noise Suppression
Dynamic Client Suppression
Flag misconfigured supplicants for

same auth failure within specified
interval and stop logging to MnT
Send alarm with failure statistics
Valid Time ranges displayed by default
Each endpoint tracked by:

• Calling-Station-ID (MAC Address)
• NAS-IP-Address (NAD address)
• Failure reason
PSN Filtering and Noise Suppression
Dynamic Client Suppression
Flag misconfigured supplicants for

same auth failure within specified
interval and stop logging to MnT
Send alarm with failure statistics
Send immediate Access-Reject Hard-coded @ 5

in ISE 2.0
(do not even process request) IF:
1) Flagged for suppression
2) Fail auth total X times for same
failure reason (inc 2 prev)
Fully process next request after

rejection period expires.
PSN Noise Suppression
Drop Excessive RADIUS Accounting Updates from “Misconfigured NADs”
Allow 2 RADIUS Accounting

Updates for same session in
specified interval, then drop.
Enhanced EAP Session Handling
Improved Treatment for Empty NAK List
• Best Effort for Supplicants that Improperly Reply with Empty
NAK List: PSN suggests the most secure or preferred EAP
protocol configured (per Allowed Protocols list).
• Some supplicants may reply with NAK and not suggest alternative
protocol (empty NAK list).
• ISE will now suggest other supported protocols rather than fail For Your
Reference
auth.
• Set Preferred EAP Protocol on ISE to most common method

used by network.
• This sets the list of proposed EAP methods sent to supplicant
during auth negotiation.
• Value is disabled by default.
Policy > Policy Elements > Results Authentication > Allowed Protocols
MnT Log Suppression and Smarter Logging
Drop and Count Duplicates / Provide Better Monitoring Tools
• Drop duplicates and increment counter in Live Log for “matching” passed
authentications Count and discard
• Display repeat counter to Live Sessions entries. repeated events
• Update session, but do not log RADIUS Accounting Interim Updates Count and discard
• Log RADIUS Drops and EAP timeouts to separate table for reporting purposes and untrusted events
display as counters on Live Log Dashboard along with Misconfigured Supplicants
and NADs MNT
• Alarm enhancements
• Revised guidance to limit syslog at the source.
• MnT storage allocation and data retention limits
• More aggressive purging Count and discard
repeats and unknown
• Allocate larger VM disks to increase logging capacity and retention. NAD events
MnT Noise Suppression (pre-ISE 2.2) For Your
Reference
Suppress Successful Auths and Accounting
▪ Suppress Repeated Successful Auths

= Do not save repeated successful auth
events to MnT DB
(Events will not display in Live Auth log).
▪ Accounting Suppression Interval
= Allow 2 log updates for same session,
then suppress any more updates in interval
(Range 1 sec – 1 day)
▪ Long Processing Step Threshold Interval
= Detect and log NAD retransmission timeouts for
auth steps that exceed threshold.
(Step latency is visible in Detailed Live Logs)
CSCur42723 Increase “Accounting Suppression Interval” maximum to 24 hrs (from 30 minutes)

MnT Noise Suppression
Suppress Storage of Repeated Successful Auth Events
Suppress Successful Reports

= Do not save repeated successful auth
events for the same session to MnT DB
These events will not display in Live

Authentications Log but do increment
Repeat Counter.
MnT Noise Suppression Step latency is visible in
Live Logs details
Suppress Storage of Repeated Successful Auth Events
12304 Extracted EAP-Response containing> PEAP
Administration Systemchallenge-response
> Settings > Protocols > RADIUS
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for
inner method
15041 Evaluating Identity Policy (Step latency=1048 ms)
15006 Matched Default Rule
Suppress Successful Reports 15013 Selected Identity Source - Internal Users
24430 Authenticating user against Active Directory
= Do not save repeated successful auth 24454 User authentication against Active Directory failed because of a timeout error
events for the same session to MnT DB (Step latency=30031 ms)
24210 Looking up User in Internal Users IDStore - test1
24212 Found User in Internal Users IDStore
These events will not display in Live 22037 Authentication Passed
Authentications Log but do increment 11824 EAP-MSCHAP authentication attempt passed
Repeat Counter. 12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5411 Supplicant stopped responding to ISE (Step latency=120001 ms)
Detect NAD retransmission timeouts and

Log auth steps > threshold.
MnT Duplicate Passed Auth Suppression For Your
Reference
Drop and Count Duplicates

• Unique session entries determined by hash
created based on these attributes:
➢ Called Station Id
➢ User Name
➢ Posture Status
➢ CTS Security Group
➢ Authentication Method
➢ Authentication Protocol
➢ NAS IP Address
➢ NAS Port Id
➢ Selected Authorization Profile
5eaf59f1e6cd6aa6113ca1463c779c3f (MD5 hash)

• “Discard duplicate” logic not applicable to failed auths as these are not cached in session
• Except for IP address changes, RADIUS Accounting (Interim) updates are dropped from storage,
but do update session #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 334
Client Suppression and Reject Timers
Endpoint Access Device PSN MnT
t = T0 802.1X Request (12321 Cert Rejected) Failed Auth Log

Detection
t = T1 MAB Request (22056 Subject not found) Failed Auth Log Ts Ts = Failed
Failure
Suppression
t = T2 802.1X Request (12321 Cert Rejected) Failed Auth Log T2 < Ts Interval
2 failures!
t = T3 MAB Request Suppression Report 5434

t = T4 802.1X Request
Suppression
Tr Tr = Report
t = T5 MAB Request Interval
Report 5434
t = T6 802.1X Request
t = T7 MAB Request
Tr
t = T8 Total 5 failures Tx
802.1X Request
of same type! Reject Report 5449
Tx = Rejection
t = T9 Auth Request Interval
Rejection
Access-Reject Tr
Report 5449
t = T10 Auth Request
Access-Reject
Report 5449 Tr
Auth Request Successful Auth Log

Release #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 335
Client Suppression and Reject Timers
Endpoint Access Device PSN MnT
Tr = Report
Tr Interval
Report 5449
Rejection
Tr Tx
Report 5449
Tx = Rejection
Interval
Tr
Report 5449
Tr
Report 5449
Rejection
Tr Tx
Report 5449
Tr
#CLMEL
BRKSEC-3432
Report 5449
ISE Log Suppression
“Good”-put Versus “Bad”-put
“Good” Auth Requests
Incomplete Auth
PSN MnT
Requests
“Bad” Auth Requests

RADIUS
Accounting
RADIUS Accounting updates (not
Rejected IP change) Successful Auth
Suppressed
Accounting
RADIUS Failed Auth
Updates
Drops Suppressed
Suppressed
ISE Log Suppression For Your
Reference
“Behaving” Clients Impacted by “Misbehaving” Clients
PSN MnT
Typical Load Example
$$
IN OUT
$
$$
$
Extreme Noise Load Example
$$$
IN OUT
$$$
$$$
$$$
WLC – Client Exclusion
Blacklist Misconfigured or Malicious Clients
• Excessive Authentication Failures—Clients are excluded on the fourth authentication attempt,

after three consecutive failures.
• Client excluded for Time Value specified in WLAN settings. Recommend increase to
1-5 min (60-300 sec). 3 min is a good start.

Reference

held-period seconds Supplicant waits X seconds before resending credentials after a failed attempt.
Default 60.
quiet-period seconds Switch waits X seconds following failed authentication before trying to re-authenticate client.
Default: 120. • Cisco 7600 Default: 60.
ratelimit-period seconds Switch ignores EAPOL-Start packets from clients that authenticated successfully for X sec.
Default: rate limiting is disabled.
Throttles misconfigured/misbehaving clients:
Quite-Period = 300 sec

= Wait 5 minutes after failed 802.1X auth.
Ratelimit-Period = 300 sec

= Ignore additional auth requests for 5 min. after
successful 802.1X auth.
Live Authentications and Sessions
Blue entry = Most current Live Sessions entry with repeated successful auth counter
Authentication Suppression
Enable/Disable
• Global Suppression Settings: Administration > System > Settings > Protocols > RADIUS
Failed Auth Suppression Successful Auth Suppression
Caution: Do not disable suppression in deployments with very high auth rates.
It is highly recommended to keep Auth Suppression enabled to reduce MnT logging
• Selective Suppression using Collection Filters: Administration > System > Logging > Collection Filters
Configure specific traffic to bypass
Successful Auth Suppression
Useful for troubleshooting authentication for a
specific endpoint or group of endpoints, especially
in high auth environments where global suppression
is always required.
Per-Endpoint Time-Constrained Suppression
Right Click
Visibility into Reject Endpoints!
346
Releasing Rejected Endpoints
Releasing Rejected Endpoints
Query/Release Rejected also

available via ERS API!
Sessions States For Your
Reference
Sessions can have one of 6 states as shown in the Live Sessions drop-down.
• NAD START --> Authenticating
• NAD SUCCESS --> Authorized
• NAD FAIL / ACCT STOP / AUTH FAIL --> Terminated
• POSTURED --> Postured
• AUTH PASS --> Authenticated
• ACCT START / UPDATE --> Started
The first two happen only for

wired switchports with epm
logging enabled and MnT nodes
are configured to receive these
logs via syslog from the NAD
Clearing Stale ISE Sessions For Your
Reference
RADIUS Accounting is Primary method to maintain sessions – Start/Update/Stop!

If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge
operation to clear stale sessions
Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following
criterion:
1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of
authentication retries)
2. Endpoint authenticated in last hour but no accounting start or update received
3. Endpoint idle—no activity (auth / accounting / posturing / profiling updates) in the last 5 days
• Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints. In other words,
MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.
Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.
➢ An example web utility that supports HTTP DELETE operation is cURL. It is a free 3rd-party command line tool for transferring
data with HTTP/HTTPS: http://www.cisco.com/en/US/docs/security/ise/1.2/api_ref_guide/ise_api_ref_ch2.html#wp1072950
For Your
Reference
Live Authentications Log
Dashboard Counters Drill Down on
counters
• Misconfigured Supplicants: Supplicants failing to connect to seein the last 24 hours
repeatedly
details
• Misconfigured Network Devices: Network devices with aggressive accounting updates in the
last 24 hours
• RADIUS Drops: RADIUS requests dropped in the last 24 hours
• Client Stopped Responding: Supplicants stopped responding during conversations in the last
▪ Misconfigured Supplicants: Supplicants failing to connect repeatedly in the last 24 hours
24 hours
▪ Misconfigured Network Devices: Network devices with aggressive accounting updates in the last 24
• Repeat
hours Counter: Authentication requests repeated in the last 24 hours with no change in
identity content, network device, and authorization.
▪ RADIUS Drops: RADIUS requests dropped in the last 24 hours
▪ Client Stopped Responding: Supplicants stopped responding during conversations in the last 24
hours
▪ Repeat Counter: Successful authentication requests repeated in the last 24 hours with no change in
BRKSEC-3432 351
For Your
Live Authentications Log Reference
Dashboard Counters

hours
hours
Live Authentications Log For Your
Reference
Dashboard Counters

hours
hours
Counters – Misconfigured Supplicants For Your
Reference
Endpoints That Continuously Fail Authentication
Counters – Misconfigured NAS For Your
Reference
Access Devices That Send Excessive or Invalid RADIUS Accounting
Counters – RADIUS Drops For Your
Reference
Duplicate Session Attempts, Undefined NAD, Secret Mismatch, Non-
Conforming, Etc.
Counters – Clients Stopped Responding For Your
Reference
Supplicants That Fail to Complete EAP Authentication
Counters – Repeat Count For Your
Reference
Endpoint Tally of Successful Re-authentications
Repeat Counter For Your
Reference
Successful Authentication Suppression
• Global Repeat Counter displayed in Live Authentications Log dashboard:

• Session Repeat Counter displayed in Live Authentication and Sessions Log
• Can reset counters for all sessions or individual session
• Be sure to enable display under “Add or Remove Columns”
ISE 1.2 Alarms Do not forget aboutReference
For Your
the new Search

function in 1.2!
• Alarms displayed as dashlet on ISE Home Page
• Following alarms are added or

enhanced in ISE 1.2
➢ Misconfigured supplicant
➢ Misconfigured NAS
➢ Detect Slow Authentications
➢ RADIUS Request Dropped with more
accurate failure reasons
➢ Excessive Accounting Messages
➢ Mixing RADIUS Request between ISE PSN’s
due to NAD/LB behavior.
Minimize Syslog Load on MNT For Your
Reference
Disable NAD Logging and Filter Guest Activity Logging
Guest Activity: Log only if required.
Rate Limiting at Source Filter and send only relevant logs
Disable NAD Logging unless
required for troubleshooting
Filter Syslog at
Switch Source
Reauth phones Load

Balancer PSN
MNT
Unknown users WLC
Roaming supplicant
Syslog Forwarder
* Filter at Relay
Misbehaving supplicant Guest Activity: If cannot filter at

#CLMEL BRKSEC-3432 © 2019source,
Cisco and/or its use
affiliates. smart syslog
All rights reserved. relay
Cisco Public 361
NAD Logging For Your
Reference
Disable by Default
• Recommended enable for troubleshooting purposes only.

• If logging configured, the correct commands should include….
!
epm logging
logging origin-id # where origin-id = IP address A.B.C.D
logging source-interface <interface-id>
# where interface-id IP address = A.B.C.D
logging host <MNT1> transport udp port 20514
logging host <MNT2> transport udp port 20514
# Optional for redundancy, but not
! required for troubleshooting purposes
Guest Activity Logging For Your
Reference
Enable with purpose—only send logs of interest that apply to guest sessions.
ISE only parses log messages that include IP address of active guest account
ASA Example:
• Create Service Policy to inspect
HTTP traffic for guest subnet
• Filter messages ID # 304001:
accessed URLs
Log Filtering:
• If NAD supports, configure filters to limit logs only to those needed/usable by MnT.
• If unable to filter at NAD, use Syslog Relay to filter and forward desired messages.
MnT
Firewall Syslog Forwarder MnT

No Log Suppression With Log Suppression Distributed Logging
BRKSEC-3432
High Availability
Session Agenda
High Availability: You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
High Availability
Agenda
• ISE Appliance Redundancy
Agenda
• ISE Node Redundancy
• Administration Nodes
• Monitoring Nodes
• pxGrid Nodes
• HA for Certificate Services

• Policy Service Node Redundancy
• Load Balancing
• Non-LB Options
• NAD Fallback and Recovery
Critical Services
External Services that can impact the Health of your ISE Deployment
• DNS and NTP
For Your
• Certificate Services: CA, OCSP/CRL Servers Reference
• ID Stores (AD, LDAP, ODBC, OTP, SAML/IdP, external RADIUS)

• Compliance Servers (MDM/EMM, Posture Remediation, Patch Managers, etc)
• TC-NAC: Threat and Vulnerability Assessment services
• Feed Services – (Posture, Profiling, Licensing)
• Rely on Proxy? Offline packages required?
HA for services external to ISE is
• SMTP for guest/admin notification outside the scope of this session, but
• Data Repositories (FTP, SCP, HTTP) be aware of potential impact from
single points of failure or
• Load Balancers front-ending ISE services performance bottlenecks in any
component of the system.
Session Agenda
High Availability: ISE Appliance Redundancy You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
BRKSEC-3432
370
ISE Appliance Redundancy

Appliance Redundancy
In-Box High Availability SNS-3500 Series
SNS-3415 SNS-3495 SNS-3515 SNS-3595

Platform
(34x5 Small) (34x5 Large) (35x5 Small) (35x5 Large)
Drive No Yes No Yes
Redundancy (1) 600GB disk (2) 600-GB (1) 600GB disk (4) 600GB disk
No Yes
Controller Yes
Redundancy
No (1GB FBWC (RAID 10)
(RAID 1)
Controller Cache) (1GB FBWC Cache)
Ethernet
Yes* Yes* Yes* Yes*
4 GE NICs = 4 GE NICs = 6 GE NICs = 6 GE NICs =
Redundancy
Up to 2 bonded NICs Up to 2 bonded NICs Up to 3 bonded NICs Up to 3 bonded NICs
Redundant
No No
Power
(2ndPSU optional) Yes (2nd
PSU optional) Yes
UCSC-PSU-650W UCSC-PSU1-770W
* ISE 2.1 introduced NIC Teaming support for High Availability only (not active/active)
Appliance Redundancy
In-Box High Availability
SNS-3615 SNS-3655 SNS-3695
Platform
(36x5 Small) (36x5 Medium) (36x5 Large)
Drive No Yes Yes
Redundancy (1) 600GB disk (4) 600-GB (8) 600-GB
Yes Yes
Controller Level 10 Level 10
Redundancy
No
Cisco 12G SAS Cisco 12G SAS
Modular RAID Modular RAID
Yes* Yes* Yes*
Ethernet 2 X 10Gbase-T 2 X 10Gbase-T 2 X 10Gbase-T
Redundancy 4 x 1GBase-T 4 x 1GBase-T 4 x 1GBase-T
Up to 3 bonded NICs Up to 3 bonded NICs Up to 3 bonded NICs
Redundant
No
Power
(2nd
PSU optional) Yes Yes
UCSC-PSU1-770W
NIC Redundancy Update For Your
Reference
NIC Teaming / Interface Bonding
• For Redundancy only – NOT a Performance and Scale feature in 2.1.
• Allows one interface to serve as a hot backup for another primary interface.
• Up to (3) bonds in ISE 2.1. [Up to (6) Network Interfaces supported in ISE 2.0]
• NIC Teaming pairs specific interfaces into Bonded interfaces
Individual Interfaces Bonded Interfaces Comments
Gigabit Ethernet 0
Bond 0 GE 0 is primary, GE 1 is backup
Gigabit Ethernet 1
Gigabit Ethernet 2
Gigabit Ethernet 3
Gigabit Ethernet 4
Gigabit Ethernet 5
NIC Teaming
Network Card Redundancy
• For Redundancy only–NOT for
increasing bandwidth.
GE0 Primary
• Up to (3) bonds in ISE 2.1
Bond 0 • Bonded Interfaces Preset–
GE1 Backup Non-Configurable
GE2 Primary GE4

Bond 1 Bond 2
GE3 Backup GE5
NIC Teaming Interfaces for Redundancy For Your
Reference
When GE0 is Down, GE1 Takes Over
• Both interfaces assume the same

L2 address.
• When GE0 fails, GE1 assumes the
IP address and keeps the
communications alive.
GE0 GE1
• Based on Link State of the Primary
Interface
• Every 100 milliseconds the link
Same MAC Address state of the Primary is inspected.
NIC Teaming Interfaces for Redundancy
When GE0 is Down, GE1 Takes Over
• Both interfaces assume the same

L2 address.
• When GE0 fails, GE1 assumes the
IP address and keeps the
communications alive.
GE0 GE1
• Based on Link State of the Primary
Interface
• Every 100 milliseconds the link
Same MAC Address state of the Primary is inspected.
For Your
Reference
NIC Teaming
• Bond 0 = eth0 + eth1
eth2 CIMC
eth3 IO
eth4 eth0
eth5 eth1
Configured at the CLI For Your
Reference
Add the Backup Interface to the Primary Interface Configuration
ise-psn1/admin(config-GigabitEthernet)# do sho int
bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST> mtu 1500
inet 10.1.100.245 netmask 255.255.255.0 broadcast 10.1.100.255
inet6 fe80::250:56ff:feb8:783b prefixlen 64 scopeid 0x20<link>
inet6 2001:db8::250:56ff:feb8:783b prefixlen 64 scopeid 0x0<global>
inet6 2001:db8::856d:cd6d:e5a3:155f prefixlen 64 scopeid 0x0<global> • IP on Bond Only
ether 00:50:56:b8:78:3b txqueuelen 0 (Ethernet)
RX packets 9102447 bytes 4493061475 (4.1 GiB) • Shared MAC Address
RX errors 0 dropped 48852 overruns 0 frame 0
TX packets 7634687 bytes 1939631607 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
GigabitEthernet 0
flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST> mtu 1500
ether 00:50:56:b8:78:3b txqueuelen 1000 (Ethernet)
RX packets 9030026 bytes 4449311176 (4.1 GiB)
TX packets 7634687 bytes 1939631607 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 • No IP address on
GigabitEthernet 1 Physical Interface
flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST> mtu 1500
ether 00:50:56:b8:78:3b txqueuelen 1000 (Ethernet) • Same MAC Address
RX packets 72421 bytes 43750299 (41.7 MiB)
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
378
NIC Teaming
NIC Teaming / Interface Bonding
• Configured using CLI only!
• GE0 + GE1 Bonding Example:
admin(config-GigabitEthernet0)# backup interface GigabitEthernet 1
• Requires service restart. After restart, ISE recognizes bonded interfaces for Deployment
and Profiling ; Guest requires manual config of eligible interfaces.
Debugging NIC Bonding For Your
Reference
To help debug the assignment of interfaces to a portal on individual PSNs, detailed log messages
are written to /opt/CSCOcpm/logs/guest.log on each node.
• Example
DEBUG [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interfaces specified in the portal settings: [eth0]
DEBUG [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interfaces on this node: [bond0, eth2, eth3]
DEBUG [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interfaces from portal settings that are available on this node:
[]
INFO [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interface eth0 is selected for portal 'Hotspot Guest Portal
(default)‘, but eth0 and eth1 are bonded together as interface bond0, so the portal cannot listen on eth0 alone. However, since bond0 is not selected for
this portal, the bonded interface will not be used.
• Another example:
DEBUG [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interfaces specified in the portal settings: [eth0, bond0]
DEBUG [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interfaces on this node: [bond0, eth2, eth3]
DEBUG [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interfaces from portal settings that are available on this
node: [bond0]
INFO [localhost-startStop-1][] cisco.cpm.guestaccess.portmanager.BondedInterfaceUtils -::- Interface eth0 is selected for portal 'Hotspot Guest Portal
(default)‘, but eth0 and eth1 are bonded together as interface bond0, so the portal cannot listen on eth0 alone. Since bond0 is also selected for this portal,
the bonded interface will be used instead.
Virtual Appliance High Availability
• EtherChannel and other VM Host redundancy features should be transparent to ISE

running as VM Guest
• VMotion officially supported since ISE 1.2, but issues seen with live Snapshots and
VMotion therefore not recommend
• Live snapshots not recommended as an
ISE backup strategy. There is no quiescing of database. If snapshots used:
• Shut down ISE server prior to taking snapshot.
• Can be used in advance of upgrades; once upgrade successful, delete snapshot
• Leverage ISE Backup services and store to remote device to create data archives
• Optionally log data to external loggers/SIEMs for log redundancy or longer term retention.
BRKSEC-3432
382
ISE Node/Persona
Redundancy
Session Agenda
Node Redundancy: Admin, MnT and pxGrid You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
• Maximum two PAN nodes
per deployment
Admin Node HA and Synchronization • Active / Standby
PAN Steady State Operation
• Changes made to Primary Administration DB are automatically synced to all nodes.
Admin Node
(Secondary)
Policy Service Node
Policy Sync
Admin Node
Policy Sync
(Primary)
Policy Service Node
Admin
User Policy Policy Service Node
Logging
Sync
pxGrid Node
Monitoring Node Monitoring Node
(Primary) (Secondary)
Admin Node HA and Synchronization
PAN Steady State Operation
• Changes made to Primary Administration DB are automatically synced to all nodes.
Admin
User
Admin Node Admin Node
• Maximum two
Policy
PAN nodes per PSN
Policy Sync Sync
deployment
Policy
PSN
• Active / Sync
Standby
PSN
PXG
Admin Node HA and Synchronization
Primary PAN Outage and Recovery
• Prior to ISE 1.4 or without auto failover, upon Primary PAN failure, admin user must connect to Secondary
PAN and manually promote Secondary to Primary; new Primary syncs all new changes.
• PSNs buffer endpoint Admin
updates if Primary PAN User
unavailable; buffered Admin Node Admin Node
updates sent once PAN (Primary) Policy (Secondary)
available. Sync
PSN
Policy Sync
Promoting
Policy
Secondary Admin PSN Sync
may take 10-15
minutes before
process is complete. PSN
New Guest Users or Registered Endpoints PXG
cannot be added/connect to network when
Primary Administration node is unavailable! #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 386
Policy Service Survivability When Admin Down/Unreachable
Which User Services Are Available if Primary Admin Node Is Unavailable?
Service Use case Works (Y / N)
RADIUS Auth Generally all RADIUS auth should continue provided access to ID stores Y
All existing guests can be authenticated, but new guests, self-registered guests, or
Guest N
guest flows relying on device registration will fail.
Previously profiled endpoints can be authenticated with existing profile. New
Profiler endpoints or updates to existing profile attributes received by owner should apply, Y
but not profile data received by PSN in foreign node group.
Posture Provisioning/Assessment work, but Posture Lease unable to fetch timer. Y
Device Reg Device Registration fails if unable to update endpoint record in central db. N
BYOD/NSP relies on device registration. Additionally, any provisioned certificate
BYOD/NSP cannot be saved to database. N
MDM MDM fails on update of endpoint record N
See BYOD/NSP use case; certificates can be issued but will not be saved and thus fail.
CA/Cert Services N
OCSP functions using last replicated version of database
Clients that are already authorized for a topic and connected to controller will
pxGrid N
continue to operate, but new registrations and connections will fail.
TACACS+ TACACS+ requests can be locally processed per ID store availability. Y
Automatic PAN Switchover Don’t forget, after switchover
admin must connect to PAN-2
Introduced ISE 1.4 for ISE management!
• Primary PAN (PAN-1) down or DC-1 DC-2

network link down. PAN-2 MNT-2
MNT-1 PAN-1
• If Health Check Node unable Secondary Secondary
Primary Primary
to reach PAN-1 but can reach
PAN-2 1
2
→ trigger failover
• Secondary PAN (PAN-2) is
WAN
promoted by Health Check
Node
• PAN-2 becomes Primary and Primary PAN Secondary
takes over PSN replication. Health PAN Health
Check Node Check Node
Note: Switchover is NOT immediate. Total time based on polling intervals and promotion time.
Expect ~15 - 30 minutes.
ISE Admin Failover For Your
Reference
“Automated Promotion/Switchover”
• Primary PAN and secondary PAN can be in different subnets/locations

• Secondary nodes close to the respective PANs act as their health monitors
• Health Monitors:
• Maximum 2; Could be same node (recommend 2 if available)
• Requires distributed deployment.
• Can be any node—other than Admin node (or same node where Admin persona present)
• Recommend node(s) close to PAN to be monitored to differentiate between local versus broader network
outage, but should not be on SAME server if virtual appliance.
• Monitor Process:
• Secondary node monitoring the health of the Primary PAN node is the Active monitor
• On Failure detection, Health Monitor for Primary PAN node initiates switchover by sending request to the
Secondary PAN to become new primary PAN
PAN Failover Scenario For Your
Reference
Scenario 1
DC-1 DC-2
PAN-2 MNT-2
MNT-1 PAN-1 Secondary
Secondary
Primary Primary
• Primary PAN (PAN-1) down
• Secondary PAN (PAN-2) takes

X 1
Direct failover
detection
2
over WAN
P-PAN Health
S-PAN Health
Check Node
Check Node
Reference
Scenario 2
• Connection between Primary DC-1 DC-2

PAN and Secondary PAN is PAN-2 MNT-2
MNT-1 PAN-1
down. Primary Primary Secondary Secondary
• Connection between PAN and

Health Check Node is up Direct failover
detection
• Direct Failover detection
between PANs will cause false
X WAN
switchover and data out of

sync P-PAN Health
S-PAN Health
Check Node
• Using an external monitor can Check Node
avoid false switchover
Reference
Scenario 3
• Connectivity between DC-1 DC-2
the data centers is MNT-1 PAN-1 PAN-2

Secondary
MNT-2
Primary Primary Secondary
down
• Complete network split Direct failover
detection
Cannot be handled by
•
PAN Failover X
WAN
• Local WAN survivability P-PAN Health S-PAN

Check Node
required Health Check
Node
PAN Failover
Health Check Node Configuration
• Configuration using GUI only under Administration > System > Deployment > PAN Failover
Health Check Node

CANNOT be a PAN !!
Requires Minimum of 3
nodes – 3rd node is
independent observer
HA Config Changes Sent via Instant Relay For Your
Reference
ISE 2.1+
• High priority HA Configuration messages sent via REST in addition to standard

replication channel
• Any duplicates REST calls to propagate configuration Changes PSN
(Health
safely ignored Check
at receiving side. Node)
Replication Channel
Primary
PAN
Pending Messages
Secondary
REST calls to propagate configuration Changes PAN
HA Config Change Message
Alarms in PAN Auto-Failover For Your
Reference
Critical Alarms Warning Alarms

▪ Health check node finds primary PAN down Invalid auto-failover monitoring
▪ Health check node makes a promotion call to ▪ Mostly because health check node is out of sync
secondary PAN ▪ PAN Auto-failover is disabled but primary PAN is
▪ Health check node is not able to make promotion receiving health check probes
request to secondary PAN ▪ Primary PAN receives health probes from invalid health
▪ Secondary PAN rejects the promotion request made by check node
the health check node ▪ Secondary PAN info with the health check node is not
correct
▪ Node receiving the health probe says it is not the
correct primary PAN node
No health-check probes received
▪ Primary PAN does not receive the health check probes
though it is configured
Promotion of secondary PAN is called by the health check
node
PAN Auto-Failover Alarm Details For Your
Reference
Drill down on specific alarm to get Detailed Alarm information in a new page
MnT Distributed Log Collection For Your
Reference
• ISE supports distributed log collection across all nodes to optimize local data collection, aggregation, and
centralized correlation and storage.
• Each ISE node collects logs locally from itself; Policy Service nodes running Profiler Services may also collect
log (profile) data from NADs.
• Each node transports its Audit Logging data to each Monitoring node as Syslog—these logs are not buffered
unless use TCP/Secure Syslog
• NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity logging, diagnostics, and
troubleshooting.
Policy Service Monitoring External Log
Profiler Syslog
NADs Nodes (UDP/30514)
Nodes Servers
HTTP SPAN,
DHCP
SPAN/Helper/Proxy Syslog Alarm-triggered
(UDP/20514) Syslog
NetFlow,
SNMP Traps,
RADIUS
(Not Buffered)
External Log Targets: Syslog (UDP/20514)
Syslog (UDP/20514)
HA for Monitoring and Troubleshooting
Steady State Operation
• MnT nodes concurrently receive logging from PAN, PSN, NAD, and ASA
• PAN retrieves log/report data from Primary MnT node when available
Monitoring
NADs Node (Primary) MnT data
Admin
User
PAN
Syslog from access devices Syslog 20514 Syslog from ISE nodes
PSN are sent for session
are correlated with
user/device session tracking and reporting
Monitoring
FW
Node (Secondary)
PXG
Syslog from firewall • Maximum two MnT

(or other user logging device) is nodes per deployment
correlated with guest session for
activity logging • Active / Active
HA for Monitoring and Troubleshooting
Primary MnT Outage and Recovery
• Upon MnT node failure, PAN, PSN, NAD, and ASA continue to send logs to remaining MnT node
• PAN auto-detects Active MnT failure and retrieves log/report data from Secondary MnT node.
• Full failover to Secondary MnT may take from 5-15 min depending on type of failure.
NADs Monitoring Node (Primary)

MnT data Admin
User
PAN
Syslog from access devices Syslog from ISE nodes

Syslog 20514 PSN
are correlated with are sent for session
user/device session tracking and reporting
Monitoring Node
FW (Secondary)
PXG
• PSN logs are not locally buffered when MnT down unless use TCP/Secure syslog.
Syslog from firewall
(or other user logging device) is • Log DB is not synced between MnT nodes.
correlated with guest session for • Upon return to service, recovered MnT node will not include data logged during outage
activity logging • Backup/Restore required to re-sync MnTBRKSEC-3432
#CLMEL
database © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 399
Log Buffering
TCP and Secure Syslog Targets <2.6
• Default UDP-based audit logging

does not buffer data when MnT is
unavailable.
• TCP and Secure Syslog options can
be used to buffer logs locally
• Note: Overall log performance will
decrease if use these acknowledged
options.
ISE 2.6: Rabbit MQ
A new type of architecture for ISE messaging services
• Move forward in terms of robustness, reliability , Scalability and code quality
• Introduced in 2.6 for Secure Syslog (WAN survivability)
ISE 2.6: Syslogs over ISE Messaging
WAN survivability and securing Syslog using Rabbit MQ
• Syslogs can use secure ISE Messaging
instead of UDP
• Messages buffered on PSN while MNT is
down
• Buffer is 4GB otherwise overflow, 200
per/sec 1kb message, 1.5 hrs filled
• DISABLED for Larger systems
performance issues needs more
hardening before allowed
• Smaller deployments ok ~500tps
ISE 2.6: Syslogs over ISE Messaging
RabbitMQ Topology for Syslogs
• Composed of federate links using AMQPS
• Links are unidirectional
• Links from all nodes to pri-MNT
• Links from all nodes to sec-MNT
• Links between the two MNTs
Custom Logging Targets For Your
Reference
By Default, all PSNs Log to Same Logging Targets
PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN
PSN PSN
PSN PSN
Custom Logging Targets For Your
Reference
Syslog Forwarder
Syslog Forwarder
PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN
Syslog Forwarder
PSN PSN
can perform
PSN PSN
custom filtering and
forwarding
Local Logging For Your
Per-PSN Log Targets Log Target = ise-logger.local Reference
(config)# ip host <interface_ip_address> <hostname|FQDN>
10.2.1.10 10.4.1.10
PAN MnT PAN MnT

10.6.1.10
PSN PSN
PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
(config)# ip host 10.6.1.10 ise-logger.local
10.1.1.10 PSN PSN
(config)# ip host 10.7.1.10 ise-logger.local

PSN PSN
PSN PSN
10.3.1.10 10.5.1.10 10.7.1.10

#CLMEL BRKSEC-3432
pxGrid • Max two pxGrid v1 nodes
HA for pxGrid v1 Clients per deployment
(Publishers) (Active/Standby)
Steady State
Primary Primary Secondary Secondary
PAN MnT PAN MnT
PAN Publisher Topics:

• Controller Admin
• TrustSec/SGA
• Endpoint Profile
TCP/12001
TCP/5222
TCP/5222
MnT Publisher Topics:
• Session Directory
• Identity Group Active Standby
• ANC (EPS) pxGrid pxGrid
• pxGrid clients can be

configured with up to 2
servers for redundancy. TCP/5222
• Clients connect to single pxGrid
active controller for given Client
domain (Subscriber)
pxGrid • Max two pxGrid v1 nodes
HA for pxGrid v1 Clients per deployment
(Publishers) (Active/Standby)
Failover and Recovery
PAN MnT PAN MnT

• TrustSec/SGA
TCP/12001
TCP/5222
TCP/5222
• Identity Group Active Standby
• ANC (EPS) pxGrid pxGrid
If active pxGrid
Controller fails, clients
automatically attempt
connection to standby TCP/5222
pxGrid
controller. Client
(Subscriber)
pxGrid • 2.3: Max two pxGrid v2 nodes/
HA for pxGrid v2 (ISE 2.3+) Clients deployment (Active/Active)
(Publishers) • 2.4: Max 4 nodes (All Active)
Steady State
PAN MnT PAN MnT

• TrustSec/SGA
TCP/12001
TCP/5222
TCP/5222
• Identity Group
Active pxGrid Active pxGrid
• ANC (EPS) Controller #1 Controller #2
• pxGrid clients can be

configured with multiple
servers for redundancy.
• Clients connect to single TCP/5222 pxGrid pxGrid TCP/5222
active controller for given Client #1 Client #2
domain (Subscriber) (Subscriber)
pxGrid HA For Your
Reference
Design Considerations
• Download pxGrid Identity certs from the Primary and Secondary MnT nodes to pxGrid
clients and import both into the Trusted store.
• Specify the hostname of both pxGrid nodes in the pxGrid API.
Example:
./register.sh –keystoreFilename isekeyfile.jks –keystorePassword cisco123
–truststoreFilename rootfile.jks –truststorePassword cisco123
–hostname 10.0.1.33 10.0.2.79
• The pxGrid clients will register to both pxGrid nodes.
• If the pxGrid node registered to the primary goes down, the pxGrid client will continue
communication with the pxGrid registered to the secondary node.
BRKSEC-3697 Advanced ISE Services, Tips and Tricks
(CiscoLive.com/online/connect/search.ww)
2016 Las Vegas - by Aaron Woland
High Availability for

Certificate Services
CA Hierarchy For Your
Reference
ISE 2.0 Introduced Certificate Type Called NODE_CA
• ROOT_CA – The Root CA for the entire ISE PKI

Hierarchy
• NODE_CA – Responsible for issuing the
subordinate EP_CA cert and OCSP cert
• EP_CA – Responsible for issuing
Endpoint identity and device certificates
• OCSP – Responsible for signing the OCSP
responses
• EP_RA – Registration Authority for SCEP to
external CAs
Reference
Multi Node Deployment with 2 PANs and Multiple PSNs
P-PAN
S-PAN
PSN1 PSN2
• NODE_CA on Primary and Secondary PAN are signed by ROOT_CA on the Primary PAN
• NODE_CA on Primary PAN is responsible for signing EP_CA and OCSP cert for all PSNs
Reference
Multi Node Deployment with 2 PANs and Multiple PSNs
P-PAN
Promoted
S-PAN
PSN1 PSN2 PSN3
• NODE_CA on Primary and Secondary PAN are signed by ROOT_CA on the Primary PAN
• NODE_CA on Primary PAN is responsible for signing EP_CA and OCSP cert for all PSNs
• If P-PAN fails and S-PAN promoted, new PSN certs will be signed by S-PAN NODE_CA, but same chain
of trust maintained to ROOT_CA
When Does CA Hierarchy Switch For Your
Reference
from 2 Roots to 1 Root?
• On Fresh Install: YES
• Single Root Hierarchy for all New Installs.
• On Upgrade: NO
• No changes on Upgrade – requires manual switch
• To manually switch to a Single Root Hierarchy:
• Administration > System > Certificate > Certificate Signing Requests > Replace ISE Root CA
• Note: If after an upgrade the administrator does not trigger the “Replace ISE Root CA”
operation, then any new PSN registering into the deployment will get its EP_CA and OCSP
certificates signed by the ROOT CA on the Primary PAN.
• This is same behavior as ISE 1.3/1.4.
For Your
Reference
Export CA Certs from Primary PAN For Your
Reference
# application configure ise
cisco-lab-ise/admin# application configure ise
• Export the CA Selection ISE configuration option

<SNIP>
Root CA
Certs to a [7]Export Internal CA Store
[8]Import Internal CA Store
</SNIP>
Repository [12]Exit
7
Export Repository Name: NAS
Enter encryption-key for export: ########## Sub CA
Export on progress...............
The following 4 CA key pairs were exported to repository 'NAS' at

• Will be an 'ise_ca_key_pairs_of_cisco-lab-ise':
Subject:CN=Certificate Services Root CA - cisco-lab-ise
Encrypted GPG Issuer:CN=Certificate Services Root CA - cisco-lab-ise RA
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
Bundle Subject:CN=Certificate Services Endpoint Sub CA - cisco-lab-ise

Issuer:CN=Certificate Services Root CA - cisco-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
OCSP
Subject:CN=Certificate Services Endpoint RA - cisco-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - cisco-lab-ise
• Four Key Pairs Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Subject:CN=Certificate Services OCSP Responder - cisco-lab-ise

Serial#:0x10d18efb-92614084-895097f2-9885313b
ISE CA keys export completed successfully
Import CA Certs from Primary to Secondary PAN
cisco-lab-ise/admin# application configure ise
Selection ISE configuration option

<SNIP>
• After an upgrade, immediately [7]Export Internal CA Store
[8]Import Internal CA Store For Your
</SNIP>
Export/Import CA certs. [12]Exit
Reference
8
Import Repository Name: NAS
• If want original PPAN to stay Primary Enter CA keys file name to import: ise_ca_key_pairs_of_cisco-lab-ise
Enter encryption-key: ########
after upgrade, promote Secondary Import on progress...............
The following 4 CA key pairs were imported:

after CA certs imported. Subject:CN=Certificate Services Root CA - cisco-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
• Or… Promote Secondary before Subject:CN=Certificate Services Endpoint Sub CA - cisco-lab-ise
upgrade, upgrade ISE, and then Issuer:CN=Certificate Services Root CA - cisco-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
export/import CA certs Subject:CN=Certificate Services Endpoint RA - cisco-lab-ise

Issuer:CN=Certificate Services Endpoint Sub CA - cisco-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
• Provides CA redundancy if PPAN fails Subject:CN=Certificate Services OCSP Responder - cisco-lab-ise
and Secondary promoted. Issuer:CN=Certificate Services Root CA - cisco-lab-ise
Serial#:0x10d18efb-92614084-895097f2-9885313b
Stopping ISE Certificate Authority Service...

Starting ISE Certificate Authority Service...
ISE CA keys import completed successfully
Example of Exported Keys For Your
Reference
ISE 2.0 Example with New Root Hierarchy
The following 5 CA key pairs were exported to repository 'disk' at 'ise_ca_key_pairs_of_ise20-pan1':
Subject:CN=Certificate Services Root CA - ise20-pan1
Issuer:CN=Certificate Services Root CA - ise20-pan1 Root CA
Serial#:0x06c4fb0a-812b4f07-8fc3361a-2c57ae24
Subject:CN=Certificate Services Node CA - ise20-pan1

Issuer:CN=Certificate Services Root CA - ise20-pan1 Node CA
Serial#:0x7386ba45-9d754b69-9c82f764-d3263ca7
Subject:CN=Certificate Services Endpoint Sub CA - ise20-pan1

Issuer:CN=Certificate Services Node CA - ise20-pan1
Serial#:0x793e7b17-a0ec40e7-9bfc47f0-974fc909
Sub CA
Subject:CN=Certificate Services Endpoint RA - ise20-pan1
Issuer:CN=Certificate Services Endpoint Sub CA - ise20-pan1
Serial#:0x7e3c09ba-9168441f-a16f219f-6e62cbca RA
Subject:CN=Certificate Services OCSP Responder - ise20-pan1
Issuer:CN=Certificate Services Node CA - ise20-pan1
Serial#:0x08fcc154-b8414b25-a50ca00d-13994488 OCSP
ISE CA keys export completed successfully
Certificate Recovery for ISE Nodes For Your
Reference
Backup all System (Server) Certificates and Key Pairs
• System Certificates for all nodes can be centrally exported with private key pairs from
Primary PAN in case needed fro Disaster Recovery.
OCSP Responder HA For Your
Reference
• Each PSN runs OCSP responder.
• OCSP DB replicated so can point to any PSN, or LB PSN cluster for OCSP HA.
ASA Remote Access VPN Example:

match certificate OCSP_MAP override ocsp trustpoint ISE_Root 1 url http://ise-
ocsp.company.com:2560/ocsp/ #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 421
Each PSN is an OCSP Responder
Load Balancing OCSP Database replication ensures each PSN contains
Sample Flow same info for ISE-issued certificates.
DNS Lookup = ocsp.company.com

DNS PSN
1 DNS Response = 10.1.98.8 Server 10.1.99.5
http://ocsp.company.com ISE-PSN-1
2 http://ocsp. company.com:2560/ocsp @ 10.1.98.8 Load Balancer

PSN
10.1.99.6
https response from ise-psn-3 @ 10.1.99.7
Access VIP: 10.1.98.8 ISE-PSN-2
ASA 4 Device
PSN
1. Authenticator resolves ocsp.company.com to VIP @ 10.1.98.8 10.1.99.7
3
2. OCSP request sent to http://ocsp.company.com:2560/ocsp @ 10.1.98.8
ISE-PSN-3
3. Load balancer forwards request to PSN-3 (OCSP Responder) @ 10.1.99.7
4. Authentication receives OCSP response from PSN-3
For Your
Reference
Each PSN is an OCSP Responder
Load Balancing OCSP Updated Slide with New
Database replication ensures each PSN contains
Icons
same info for ISE-issued certificates.
Sample Flow
DNS Lookup = ocsp.company.com
DNS
1 DNS Response = 10.1.98.8 Server 10.1.99.5
http://ocsp.company.com ISE-PSN-1
Load Balancer
2 http://ocsp. company.com:2560/ocsp @ 10.1.98.8
10.1.99.6
https response from ise-psn-3 @ 10.1.99.7
Access VIP: 10.1.98.8
ASA 4 Device ISE-PSN-2
1. Authenticator resolves ocsp.company.com to VIP @ 10.1.98.8 3 10.1.99.7

2. OCSP request sent to http://ocsp.company.com:2560/ocsp @ 10.1.98.8
3. Load balancer forwards request to PSN-3 (OCSP Responder) @ 10.1.99.7 ISE-PSN-3
4. Authentication receives OCSP response from PSN-3
For Your
Reference
SCEP Load Balancing for BYOD/NSP (ISE 1.2)
If Multiple SCEP CA Servers Defined… For Your
Reference
• Multiple SCEP Profiles supported—Requests load balanced based on load factor.
• Load Factor = Average Response Time x Total Requests x Outstanding Requests
• Average Response Time = Average of last two 20 requests
• SCEP CA declared down if no response after three consecutive requests.
• CA with the next lowest load used; Periodic polling to failed server until online.
SCEP Load Balancing (ISE 1.3+) For Your
Reference
If Multiple SCEP CA Servers Defined…
• SCEP Profile defined in Certificate Template

—only one can be selected.
• Multiple CA URLs supported in each profile
(since ISE 1.3)
• Requests load balanced across CAs
For Your
Reference
High Availability and

Scaling for
ISE SXP Services
ISE SXP HA For Your
Reference
ISE 2.0 supports up to one pair of SXP PSNs (SXPSNs) where both configured for same mappings
and peers.
Each SXPSN in a pair process and “speak” same bindings to same peers.
SXP Listeners receive duplicate bindings (not an issue).
Starting with v2.1, ISE supports two pairs of SXPSNs with bindings to different peers (which can be
controlled via SXP Domains).
SXP Domains provides horizontal scaling as well as control which nodes get bindings. If not match
specific domain, it hits default. If nodes not mapped to domain, they will be dropped.
Configure SXP under PSN services. Total 4 PSNs can be configured with SXP (two pairs).
No validation or limit on # PSNs configured for ISE SXP.
ISE SXP Horizontal Scaling For Your
Reference
ISE 2.1 and Above
PSN1 PSN2
HTTPS
SXPN1 SXPN2
Filtering Filtering
Red Bindings Master Master

Blue Bindings
Table Table
Red/Blue Red/Blue Bindings

Bindings DB DB
Red Devices Blue Devices

For Your
Reference
Scaling ISE SXP
ISE 2.0 ISE 2.1-2.3 ISE 2.4+
Max ISE SXP nodes / redundant pairs 2/1 4/2 8/4
Max ISE SXP Peers per SXPSN 20 100 200
Max ISE SXP Peers per deployment 20 200 800
Max ISE SXP Bindings per SXP PSN 100k 250k 350k
Max ISE SXP Bindings per deployment 100k 500k * 1.4M
In ISE 2.1+, SXP Domains allow the splitting of bindings across multiple SXPSNs.
* Max dynamic bindings limited by max RADIUS session scale.
ISE 2.3 SXP Multi-Service Scaling For Your
Reference
Max SXP Bindings and Peers by Deployment Model and Platform
Max RADIUS
Max # Max ISE SXP
Deployment Model Platform Sessions per Max ISE SXP Bindings
Dedicated PSNs Peers
Deployment
3415 0 5,000 2,500 10
Standalone: 100 per
3495 0 10,000 5,000 20
All personas on same node
3515 0 7,500 3,750 SXPSN 15
(2 nodes redundant)
3595 0 20,000 10,000 pair 25
3415 as PAN+MNT 5/3+2 5,000 2,500 / 5,000 100
Hybrid: PAN + MnT on same
3495 as PAN+MNT 5/3+2 10,000 5,000 / 10,000 100
node; Dedicated PSN
(Minimum 4 nodes redundant) 3515 as PAN+MNT 5/3+2 7,500 3,750 / 7,500 100
3595 as PAN+MNT 5/3+2 20,000 10,000 / 20,000 100
Dedicated PAN and MnT 3495 as PAN and MNT 38 + 2 / 36 + 4 250,000 150,000 / 250,000 100 / 200
(Minimum 6 nodes redundant) 3595 as PAN and MNT 48 + 2 / 46 + 4 500,000 250,000 / 500,000 100 / 200
Max RADIUS Sessions Max ISE SXP
Scaling per SXPSN Platform
per PSN Max ISE SXP Bindings Peers
SNS-3415 1 or 2 5,000 100,000 100
Dedicated SXPSN nodes
SNS-3495 SXPSN 20,000 150,000 100
(Gated by Total Deployment
Scale) SNS-3515 pairs 7,500 150,000 100
SNS-3595 40,000 250,000 100
Share PSNs (up to 5) for RADIUS+SXP OR Dedicate#CLMEL
PSNs to RADIUS (up to 3)©and
BRKSEC-3432
SXP (2 for HA) Services
2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
430
430
Reference
• By Deployment
Max RADIUS
Max # Max ISE SXP Max ISE SXP
Deployment Model Platform Sessions per
Dedicated PSNs Bindings Peers
Deployment
All personas on same 3515 0 7,500 3,500 20
Standalone
node 3595 0 20,000 10,000 30
PAN+MnT+PXG on 3515 as PAN+MNT 5/3+2 7,500 7,500 200
Hybrid same node;
Dedicated PSN 3595 as PAN+MNT 5/3+2 20,000 20,000 220
48 + 2 / 46 + 4 350k / 500k 150 / 300
Each Persona on 3595 as PAN and MNT 44 +6 / 42 + 8 500,000 500k / 500k 450 / 600
Dedicated
Dedicated Node 3595 as PAN and Large 48 + 2 / 46 + 4 350k / 700k 200 / 400
MNT 44 +6 / 42 + 8 500,000 1050k / 1.4M 600 / 800
Share PSNs (up to 5) for RADIUS+SXP OR Dedicate PSNs to RADIUS (up to 3) and SXP (2 for HA) Services
• By Node 1, 2, 3, or 4
SXPSN pairs Max RADIUS Max ISE SXP Max ISE SXP
Sessions per PSN Bindings Peers
Dedicated SXPSN nodes SNS-3515 7,500 200,000 200
(Gated by Total Deployment Size) SNS-3595 40,000 350,000 220
Reference
• By Deployment
Max RADIUS
Max # Max ISE SXP Max ISE SXP
Deployment Model Platform Sessions per
Dedicated PSNs Bindings Peers
Deployment
All personas on same 3515 0 7,500 3,500 20
Standalone
node 3595 0 20,000 10,000 30
PAN+MnT+PXG on 3615 as PAN+MNT 5/3+2 10,000 10,000 200
Hybrid same node; 3655/3695 as
Dedicated PSN PAN+MNT 5/3+2 25,000/50,000 20,000 220
48 + 2 / 46 + 4 350k / 500k 150 / 300
Each Persona on 3655 as PAN and MNT 44 +6 / 42 + 8 500,000 500k / 500k 450 / 600
Dedicated
Dedicated Node 48 + 2 / 46 + 4 350k / 700k 200 / 400
3695 as PAN and MNT 44 +6 / 42 + 8 500,000 (2M) 1050k / 1.4M 600 / 800
Share PSNs (up to 5) for RADIUS+SXP OR Dedicate PSNs to RADIUS (up to 3) and SXP (2 for HA) Services
• By Node 1, 2, 3, or 4
SXPSN pairs Max RADIUS Max ISE SXP Max ISE SXP
Sessions per PSN Bindings Peers
Dedicated SXPSN nodes SNS-3615 10,000 200,000 200
(Gated by Total Deployment Size) SNS-3655/3695 50,000/100,000 350,000 220
For Your
Reference
High Availability and

Scaling for TC-NAC Services
For Your
Reference
TC-NAC HA
• Currently a limit one PSN to service with no HA.
• If try to enable on another PSN, will get notice that another PSN configured.
• TC-NAC is not installed until enable service under PSN for first time.
• Takes ~10 minutes when first enabled.
• Successive changes will simply enable or disable service.
• TC-NAC node always gets info from Active MnT. If Heartbeat fails, then start sync
with new Active (Secondary) MnT node. Will try to failback to Primary.
Vulnerability Assessment Recovery Sequence
Flow Diagram For Your
Reference
ISE 2.3 TC-NAC Multi-Service Scaling For Your
Reference
Max Concurrent TC-NAC Transactions by Deployment Model and Platform
Max PSNs Max Sessions per Max TC-NAC Max VAF Max IRF
(dedicated) Deployment Adapters TPM TPS
3415 0 5,000 1 5 5
Standalone: (all personas on same
3495 0 10,000 1 5 5
node)
(2 nodes redundant) 3515 0 7,500 1 5 5
3595 0 20,000 1 5 5
3415 as PAN+MNT 5/4+1 5,000 1/3 5 / 40 10 / 80
Hybrid: PAN + MnT on same node;
3495 as PAN+MNT 5/4+1 10,000 2/5 10 / 40 20 / 80
Dedicated PSN
(Minimum 4 nodes redundant) 3515 as PAN+MNT 5/4+1 7,500 1/3 5 / 40 10 / 80
3595 as PAN+MNT 5/4+1 20,000 2/5 10 / 40 20 / 80
Dedicated PAN and MnT nodes 3495 as PAN and MNT 39 + 1 250,000 5 40 80
(Minimum 6 nodes redundant) 3595 as PAN and MNT 49 + 1 500,000 5 40 80
Max Sessions per Max VAF Max IRF

Scaling per PSN Platform Max Adapters
PSN TPM TPS
SNS-3415 5,000 3 40 80
SNS-3495 20,000 5 40 80
Dedicated TC-NAC node
SNS-3515 7,500 3 40 80
SNS-3595 40,000 5 40 80
In medium deployment, option to share PSN or dedicate PSN; large deployment assume one PSN dedicated to TC=NAC 436
Reference
• By Deployment
Stand- All personas on 3515 0 7,500 1 5 5
alone same node 3595 0 20,000 1 5 5
PAN+MnT+PXG on 3515 as PAN+MNT+PXG 5/4+1 7,500 1/3 5 / 40 10 / 80
Hybrid same node;
Dedicated PSN 3595 as PAN+MNT+PXG 5/4+1 20,000 2/5 10 / 40 20 / 80
Each Persona on 3595 as PAN and MNT 49 + 1 500,000 5 40 80
Dedicated
Dedicated Node 3595 as PAN and Large MnT 49 + 1 500,000 5 40 80
In medium deployment, option to share PSN or dedicate PSN; large deployment assume one PSN dedicated to TC=NAC
• By PSN
PSN TPM TPS
SNS-3515 7,500 3 40 80
Dedicated TC-NAC node
SNS-3595 40,000 5 40 80
Reference
3615 0 10,000 1 5 5
3655 0 25,000 1 5 5
alone same node
3655 0 50,000 1 5 5
PAN+MnT+PXG on 3615 as PAN+MNT+PXG 5/4+1 10,000 1/3 5 / 40 10 / 80
Hybrid same node; 3655 as PAN+MNT+PXG 5/4+1 25,000 2/5 10 / 40 20 / 80
Dedicated PSN 3655 as PAN+MNT+PXG 5/4+1 50,000 2/5 10 / 40 20 / 80
Each Persona on 3655 as PAN and MNT 49 + 1 500,000 5 40 80
Dedicated
Dedicated Node 3695 as PAN and MnT 49 + 1 500,000 (2M) 5 40 80
• By InPSN
medium deployment, option to share PSN or dedicate PSN; large deployment assume one PSN dedicated to TC=NAC

PSN TPM TPS
SNS-3615 10,000 3 40 80
Dedicated TC-NAC node SNS-3655 50,000 5 40 80
SNS-3695 100,000 5 40 80
PSN Load Balancing
Session Agenda
PSN Load Balancing You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Load Balancing RADIUS, Web, and Profiling Services
• Policy Service nodes can be configured in a cluster behind a load balancer (LB).
• Access Devices send RADIUS and TACACS+ AAA requests to LB virtual IP.
PSNs
(User
Services)
• N+1 node redundancy assumed

to support total endpoints
during:
–Unexpected server outage
Load
–Scheduled maintenance Balancers
–Scaling buffer
Virtual IP
• HA for LB itself assumed
Network Access Devices VPN
Configure Node Groups for LB Cluster
Place all PSNs in LB Cluster in Same Node Group
• Administration > System > Deployment
2) Assign name (and multicast address if ISE 1.2)
1) Create node group
3) Add individual PSNs to node group
• Node group members can be L2 or L3

• Multicast not required
High-Level Load Balancing Diagram For Your
Reference
DNS AD
External NTP LDAP
ISE-PAN-1 ISE-MNT-1 Logger SMTP MDM
10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
NAS IP: 10.1.50.2
VIP: 10.1.98.8 LB: 10.1.99.1
10.1.99.6
End User/Device Access Device Load Balancer ISE-PSN-2
10.1.99.7
ISE-PSN-3
ISE-PAN-2 ISE-MNT-2
Traffic Flow—Fully Inline: Physical Separation
Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic Flow
recommended—physical
• Load Balancer is directly inline between PSNs and rest of network. or logical
• All traffic flows through Load Balancer including RADIUS, PAN/MnT,
Profiling, Web Services, Management, 10.1.99.5
Feed Services, MDM, AD, LDAP… VLAN 98 VLAN99
VLAN 99
(10.1.98.0/24)
(External) (10.1.99.0/24)
(Internal)
ISE-PSN-1
NAS IP: 10.1.50.2
VIP: 10.1.98.8 LB: 10.1.99.1
10.1.99.6
End User/Device Access Device Load ISE-PSN-2

Balancer
DNS AD
NTP
10.1.99.7
External LDAP
ISE-PAN ISE-MNT Logger SMTP MDM
ISE-PSN-3
Traffic Flow—Fully Inline: VLAN Separation
Logical Network Separation Using Single LB Interface and VLAN Trunking
Load Balancer
• LB is directly inline between ISE PSNs
and rest of network. VIP: 10.1.98.8
• All traffic flows through LB including RADIUS, 10.1.98.2 10.1.99.1
PAN/MnT, Profiling, Web Services, Management, Feed VLAN 98 VLAN 99 10.1.99.5
Services, MDM, AD, LDAP… (External) (Internal)
10.1.98.1 ISE-PSN-1
NAS IP: 10.1.50.2
10.1.99.6
End User/Device Access Device Network ISE-PSN-2

Switch
DNS AD
NTP
10.1.99.7
External LDAP
ISE-PAN ISE-MNT Logger SMTP MDM
ISE-PSN-3
Partially Inline: Layer 2/Same VLAN (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
Load Balancer
• All inbound LB traffic such RADIUS, Profiling, 10.1.98.2
and directed Web Services sent to LB VIP.
10.1.98.5
• Other inbound non-LB traffic bypasses LB VIP: 10.1.98.8
including redirected Web Services, PAN/MnT, ISE-PSN-1
Management, Feed Services, MDM, AD, LDAP… VLAN 98
10.1.98.6
• All outbound traffic from PSNs NAS IP: 10.1.50.2
sent to LB as DFGW. 10.1.98.1 ISE-PSN-2
10.1.98.7
• LB must be configured
to allow Asymmetric traffic L3 Switch
End User/Device Access Device
ISE-PSN-3
Generally NOT RECOMMENDED due to
DNS AD
traffic flow complexity—must fully External NTP LDAP
understand path of each flow to ensure ISE-PAN ISE-MNT Logger SMTP MDM
proper handling by routing, LB, and
end stations.
Partially Inline: Layer 3/Different VLANs (One PSN Interface)
Direct PSN Connections to LB and Rest of Network For Your
Load Balancer Reference
• All inbound LB traffic such RADIUS, Profiling, 10.1.99.2
and directed Web Services sent to LB VIP VIP: 10.1.98.8
10.1.99.5
• Other inbound non-LB traffic bypasses LB 10.1.98.2
including redirected Web Services, PAN/MnT, VLAN 98 VLAN 99 ISE-PSN-1
Management, Feed Services, MDM, AD, LDAP… (External) (Internal)
10.1.99.6
• All outbound traffic from PSNs NAS IP:
10.1.50.2 10.1.98.1
sent to LB as DFGW. ISE-PSN-2
10.1.99.1
10.1.99.7
• LB must be configured
to allow Asymmetric traffic L3 Switch
ISE-PSN-3
Generally NOT RECOMMENDED due to
DNS AD
traffic flow complexity—must fully External NTP LDAP
understand path of each flow to ensure ISE-PAN ISE-MNT Logger SMTP MDM
proper handling by routing, LB, and
end stations.
Partially Inline: Multiple PSN Interfaces
10.1.99.5 10.1.91.5
Separate PSN Connections to LB and Rest of Network
Load Balancer
ISE-PSN-1
• All LB traffic sent to LB VIP including VIP:
RADIUS, Profiling (except SPAN data), 10.1.98.8
10.1.99.6 10.1.91.6
10.1.99.2
and directed Web Services 10.1.98.2
VLAN 98 VLAN 99 ISE-PSN-2

• All traffic initiated by PSNs sent to (Internal)
(External)
LB as global default gateway 10.1.99.7 10.1.91.7
NAS IP:
10.1.98.1
• Redirected Web 10.1.50.2
Services traffic 10.1.91.1 ISE-PSN-3
bypasses LB
L3 Switch VLAN 91
• For ISE 1.2, End User/Device Access Device (Web Portals)
recommend SNAT redirected
HTTPS traffic at L3 switch DNS AD
External NTP LDAP
• ISE 1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM For Your
traffic responses (set default Reference
gateway per interface)
Fully Inline – Multiple PSN Interfaces VLAN 91
(Web Portals)
Network Separation Using Separate LB Interfaces
10.1.91.1
• All traffic sent to LB including Load
RADIUS, Profiling (except SPAN data), Balancer
10.1.99.1 10.1.99.5 10.1.91.5
and directed Web Services 10.1.98.2
VIP: 10.1.98.8
• All traffic initiated by PSNs sent to ISE-PSN-1
LB as global default gateway VLAN 98 VLAN 99
(External) (Internal) 10.1.99.6 10.1.91.6
• LB sends Web NAS IP:
10.1.50.2 10.1.98.1
Services traffic ISE-PSN-2
on separate PSN L3 Switch
interface. 10.1.99.7 10.1.91.7

• For ISE 1.2,
ISE-PSN-3
SNAT Web Services at LB
DNS AD
• ISE 1.3+ supports symmetric External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP MDM For Your
traffic responses (set default Reference
gateway per interface)
PSN Load Balancing For Your
Reference
Sample Topology and Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
Request
DNS for
request
service
sent at single
to resolve DNS Lookup = psn-vip.company.com
host ‘psn-
psn-cluster DNS 10.1.99.5
cluster’
FQDN DNS response = 10.1.98.8 Server
ISE-PSN-1
Load Balancer
Request to psn-vip.company.com
10.1.99.6
Response from psn-vip.company.com
VIP: 10.1.98.8 ISE-PSN-2
User Access Device
PSN-VIP
Request sent to Virtual IP Address (VIP) 10.1.99.7

10.1.98.8
Response returned from real server ise- ISE-PSN-3
psn-3 @ 10.1.99.7, then Source NAT’ed
back to VIP @ 10.1.98.8
Load Balancing Policy Services
• RADIUS AAA Services
Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky algorithm determines method to ensure
same Policy Service node services same endpoint.
• Web Services:
• URL-Redirected: Posture (CPP) / Central WebAuth (CWA) / Native Supplicant Provisioning (NSP) / Hotspot / Device
Registration WebAuth (DRW), Partner MDM.
No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in
URL.
Direct HTTP/S: Local WebAuth (LWA) / Sponsor / MyDevices Portal, OCSP
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.
• Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS

LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than one used by RADIUS LB; Real
server interface can be same or different than one used by RADIUS
• TACACS+ AAA Services: (Session and Command Auth and Accounting)

LB VIP is target for TACACS+ requests. T+ not session based like RADIUS, so not required that requests go to same PSN
Load Balancing
RADIUS
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
Load Balancer
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8
10.1.99.6
AUTH response
RADIUS ACCTG responsefrom
from10.1.98.8
10.1.98.8
VIP: 10.1.98.8 ISE-PSN-2
User 4 5
Access Device
PSN-CLUSTER
1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7

2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to same PSN via sticky based on RADIUS
3
ISE-PSN-3
Calling-Station-ID and Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
Load Balancer General RADIUS Guidelines For Your
Reference
RADIUS Servers and Clients – Where Defined PSNs are RADIUS Servers for
Health Probes
ISE Admin Node > Network Devices Name PSN-Probe
(RADIUS Clients) Type RADIUS
ISE-PAN-1 ISE-MNT-1
Interval 15
Timeout 46
User Name radprobe
Password cisco123
Alias Service Port 1812
ISE-PSN-1
NAS IP: 10.1.50.2
VIP: 10.1.98.8
10.1.99.1
User Access Device F5 LTM ISE-PSN-2

Load Balancer
Load Balancer VIP is RADIUS Server
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123 ISE-PSN-3
Add LB as NAD for RADIUS Health Monitoring
Administration > Network Resources > Network Devices
For Your
• Configure Self IP address of LB Internal Reference
interface connected to PSN RADIUS interfaces.
• Enable Authentication and set RADIUS shared 10.1.99.1
secret.
ISE-PSN-1
10.1.99.1
F5 LTM ISE-PSN-2
Load Balancer
ISE-PSN-3
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes
• Common RADIUS Sticky Attributes
o Client Address
➢ Calling-Station-ID MAC Address=00:C0:FF:1A:2B:3C
➢ Framed-IP-Address IP Address=10.1.10.101
Device
o NAD Address 10.1.50.2 VIP: ISE-PSN-1
➢ NAS-IP-Address Session: 00aa…99ff 10.1.98.8
➢ Source IP Address
o Session ID
➢ RADIUS Session ID
Access Device Load Balancer ISE-PSN-2
➢ Cisco Audit Session ID
o Username User Username=jdoe@company.com
• Best Practice Recommendations (depends on LB support and design)

1. Calling-Station-ID for persistence across NADs and sessions ISE-PSN-3
2. Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD
3. Audit Session ID for persistence across re-authentications
Load Balancer Stickiness Guidelines
Config Examples Based on Calling-Station-ID (MAC Address)
• Cisco ACE Example:

sticky radius framed-ip calling-station-id RADIUS-STICKY
serverfarm ise-psn
• F5 LTM iRule Example:

ltm rule RADIUS_iRule { Be sure to monitor load balancer
when CLIENT_ACCEPTED {
persist uie [RADIUS::avp 31]
resources when performing
}} advanced parsing.
• Citrix NetScaler Example:

add lb vserver radius-auth RADIUS 172.16.0.16 1812 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
add lb vserver radius-acct RADIUS 172.16.0.16 1813 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
set lb group RADIUS-Calling-Station-ID -persistenceType RULE -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)
Ensure NAD Populates RADIUS Attributes For Your
Reference
Cisco WLC Example
• WLC sets Calling-
Station-ID to MAC
Address for RADIUS
NAC-enabled WLANs
• General
recommendation is to
set Acct Call Station ID
to System MAC
Address
• Auth Call Station ID
Type may not be
present in earlier
software versions
LB Fragmentation and Reassembly
Be aware of load balancers that do not reassemble RADIUS fragments!
Also watch for fragmented packets that are too small. LBs have min allowed frag size and will drop !!!
• Example: EAP-TLS with large certificates LB on Call-ID

IP RADIUS Frag1
• Need to address path fragmentation or persist on source IP
IP RADIUS w/BigCert IP Fragment #1 IP Fragment #2
Calling-Station-ID + Certificate Part 1 Certificate Part 2

IP RADIUS Frag2
• ACE reassembles RADIUS packet.
LB on Source IP
• F5 LTM reassembles packets by default except for FastL4 Protocol (No Calling ID in RADIUS
• Must be manually enabled under the FastL4 Protocol Profile packet)
• Citrix NetScaler fragmentation defect—Resolved in NetScaler 10.5 Build 50.10

• Issue ID 429415 addresses fragmentation and the reassembly of large/jumbo frames
LB Fragmentation and Reassembly
Watch for packet fragments smaller than LB will accept!
• Example: Intermediate switch/gateway fragments packets below LB minimum

• Need to address path fragmentation or change LB min fragment size
IP RADIUS w/BigCert IP Frag1 IP Frag2 IP Frag3 IP Frag4
LB min frag
Switch with Fragments <= 512 bytes size = 576
low MTU
bytes
• ACE: fragment min-mtu <bytes> (default 576 bytes)
• F5 LTM: # tmsh modify sys db tm.minipfragsize value 1
• Pre-11.6: Default = 576 bytes
• 11.6.0+: Default = 566 bytes
NAT Restrictions for RADIUS Load Balancing
Why Source NAT (SNAT) Fails for NADs SNAT results in less visibility as all requests appear sourced from
LB – makes troubleshooting more difficult.
• With SNAT, LB appears as the Network Access

Device (NAD) to PSN.
• CoA sent to wrong IP address
NAS IP Address is correct, User Story 8601 : CoA

but not currently used support for NAT'ed load
for CoA balanced environments
SNAT of NAD Traffic: Live Log Example
Auth Succeeds/CoA Fails: CoA Sent to Load Balancer and Dropped
Allow Source NAT for PSN CoA Requests
Simplifying Switch CoA Configuration
• Match traffic from PSNs to UDP/1700 or UDP/3799
(RADIUS CoA) and translate to PSN cluster VIP.
CoA SRC=10.1.99.5
• Access switch config: 10.1.99.5
• Before:
CoA SRC=10.1.98.8 ISE-PSN-1
aaa server radius dynamic-author
client 10.1.99.5 server-key cisco123 10.1.99.6
client 10.1.99.7 server-key cisco123 Access Load ISE-PSN-2
client 10.1.99.8 server-key cisco123 Switch Balancer
client 10.1.99.10 server-key cisco123
<…one entry per PSN…> 5
ISE-PSN-3
• After:
aaa server radius dynamic-author 10.1.99.x
client 10.1.98.8 server-key cisco123
ISE-PSN-X
Allow Source NAT for PSN CoA Requests For Your
Reference
Cisco ACE Load Balancer Example
access-list NAT-COA line 5 extended permit udp 10.1.99.0 255.255.255.248 any eq 1700
class-map match-any NAT-CLASS
2 match access-list NAT-COA
policy-map multi-match NAT-POLICY
class NAT-CLASS
nat dynamic 1 vlan 98
interface vlan 98
description NAD-SIDE
nat-pool 1 10.1.98.8 10.1.98.8 netmask 255.255.255.255 pat
interface vlan 99
description PSN-CLUSTER
service-policy input NAT-POLICY
Reference
F5 LTM Load Balancer Example
ltm virtual /NAD_ICommon/RADIUS-COA-SNAT {
destination /Common/10.0.0.0:1700
ip-protocol udp ltm snatpool /Common/radius_coa_snatpool {
mask 255.0.0.0 members {
profiles { /Common/10.1.98.8
/Common/udp { } }
} }
source 10.1.99.0/27
source-address-translation {
pool /Common/radius_coa_snatpool
type snat
}
translate-address disabled
translate-port enabled
Reference
Citrix NetScaler Load Balancer Example
add ns acl COA-NAT ALLOW -srcIP = 10.1.99.5-10.1.99.18 -destPort = 1700 -protocol

UDP -priority 10
apply ns acls
set rnat COA-NAT -natIP 10.1.98.8
Allow Source NAT for PSN CoA Requests
Simplifying WLC CoA Configuration Simplifies config and
reduces # ACL entries
• Before: • After required to permit access
to each PSN
One RADIUS Server entry required per One RADIUS Server entry required
PSN that may send CoA from behind per load balancer VIP.
load balancer
NAT Guidelines for ISE RADIUS Load Balancing
To NAT or Not To NAT?
That is the Question! ISE-PAN-1 ISE-MNT-1 No NAT
10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
NAS IP: 10.1.50.2 Load Balancer
VIP: 10.1.98.8 LB: 10.1.99.1
10.1.99.6
Access Device ISE-PSN-2

User RADIUS AUTH RADIUS AUTH COA
NAS-IP =10.1.50.2 Remove
NAD is
SNAT for NAD NAS-IP =10.1.50.2
SRC-IP =10.1.50.2 Source→→
Source
SRC-IP =10.1.99.1
=10.1.50.2
is BAD!
DST-IP =10.1.98.8 NAT
NATted DST-IP =10.1.99.7 5 10.1.99.7
ISE-PSN-3
RADIUS COA RADIUS COA
SNAT for CoA
SRC-IP =10.1.98.8 SRC-IP =10.1.99.7
is Okay! DST-IP =10.1.50.2
DST-IP =10.1.50.2
Load Balancing
ISE Web Services
Load Balancing with URL-Redirection
URL Redirect Web Services: Hotspot/DRW, CWA, BYOD, Posture, MDM
DNS Lookup = ise-psn-3.company.com

DNS
4 DNS Response = 10.1.99.7 Server
10.1.99.5
ISE-PSN-1
Load Balancer
1 RADIUS request to psn-vip.company.com
10.1.99.6
RADIUS response from psn-vip.company.com
User
3
Access Device VIP: 10.1.98.8 ISE-PSN-2
https://ise-psn-3.company.com:8443/... PSN-CLUSTER
2
5 HTTPS response from ise-psn-3.company.com
10.1.99.7
1. RADIUS Authentication requests sent to VIP @ 10.1.98.8 ISE-PSN-3

2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.
3. RADIUS Authorization received from VIP @ 10.1.98.8 (originated by ise-psn-3 @ ISE Certificate
10.1.99.7 with URL Redirect to https://ise-psn-3.company.com:8443/... Subject CN =
4. Client browser redirected and resolves FQDN in URL to real server address. ise-psn-3.company.com
5. User sends web request directly to same PSN that serviced RADIUS request.
Load Balancing URL-Redirected Services
When and How to Override Default URL Redirection from Client to PSN
• Use Cases for LB to Terminate redirected HTTPS Requests
• Obfuscate PSN node names/IP addresses. (Do not want PSN name exposed to browser)
• Ability to use a different certificate for user facing connection
• Apply security inspections on web-based requires
• As a way to secure PSN interfaces in DMZ.
• Requires Authorization Profile be configured with Static Hostname option.

• Load Balancer must be able to persist web request to same PSN that serviced RADIUS
session Common methods (else rely on ISE policy logic):
• LB includes Framed-IP-Address with RADIUS sticky; correlates Framed-IP to HTTPS source IP
• LB includes Session Id with RADIUS sticky; correlates Session Id in web request
url-redirect=https://<PSN_CN>:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Note: Since ISE assumes HTTPS for web access, offload cannot be used to increase SSL
performance. Load Balancer must reestablish SSL connection to real PSN servers.
URL Redirection Using Static IP/Hostname
Overriding Automatic Redirection to PSN IP Address/FQDN
• Allows static IP or FQDN value to be returned for CWA or other URL-Redirected Flows
• Common use case: Public DNS or IP address (no DNS available) must be used while preserving
variable substitution for port and sessionId variables.
Policy > Policy Elements > Results > Authorization > Authorization Profiles
DMZ PSN Certificate must match IP/Static FQDN
Specified IP Address/Hostname MUST point to the same
PSN that terminates the RADIUS session.
If multiple PSNs, requires LB persistence or AuthZ Policy
logic to ensure redirect occurs to correct PSN.
Load Balancing Non-Redirected Web Services For Your
Reference
Direct Web Services: Sponsor, My Devices, LWA, OCSP
DNS Lookup = sponsor.company.com

DNS 10.1.99.5
1 DNS Response = 10.1.98.8 Server
https://sponsor.company.com ISE-PSN-1
Load Balancer
2 https://sponsor. company.com @ 10.1.98.8
10.1.99.6
https response from VIP @ 10.1.98.8
Access VIP: 10.1.98.8
SPONSOR ISE-PSN-2
4 Device PSN-CLUSTER
10.1.99.7
1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8 3

ISE-PSN-3
2. Web request sent to https://sponsor.company.com @ 10.1.98.8
3. ACE load balances request to PSN based on IP or HTTP sticky
4. HTTPS response received from ise-psn-3 @ 10.1.99.7 → translated to
VIP @ 10.1.98.8 when passes through LB.
ISE Certificate without SAN For Your
Reference
Certificate Warning - Name Mismatch
http://sponsor.company.com DNS Lookup = sponsor.company.com

DNS 10.1.99.5
DNS Response = 10.1.98.8 Server
ISE-PSN-1
SPONSOR 10.1.98.8
http://sponsor.company.com
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE Certificate ISE-PSN-2
Load Balancer
Subject =
ise-psn-3.company.com
Name Mismatch! 10.1.99.7
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
ISE-PSN-3
ISE Certificate with SAN For Your
Reference
No Certificate Warning
http://sponsor.company.com DNS Lookup = sponsor.company.com

DNS 10.1.99.5
DNS Response = 10.1.98.8 Server
ISE-PSN-1
SPONSOR 10.1.98.8
http://sponsor.company.com
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE Certificate Load Balancer ISE-PSN-2

Subject =
ise-psn.company.com
SAN= Certificate OK! 10.1.99.7
ise-psn-1.company.com Requested URL = sponsor.company.com
ise-psn-2.company.com Certificate SAN = sponsor.company.com
ise-psn-3.company.com ISE-PSN-3
sponsor.company.com
Load Balancing Preparation For Your
Reference
Configure DNS and Certificates
• Configure DNS entry for PSN cluster(s) and assign VIP IP address.
Example: psn-vip.company.com
DNS SERVER: DOMAIN = COMPANY.COM
PSN-VIP IN A 10.1.98.8
SPONSOR IN A 10.1.98.8
MYDEVICES IN A 10.1.98.8
ISE-PSN-1 IN A 10.1.99.5
ISE-PSN-2 IN A 10.1.99.6
ISE-PSN-3 IN A 10.1.99.7
• Configure ISE PSN server certs with Subject Alternative

Name configured for other FQDNs to be used by LB VIP
or optionally use wildcards.
Example
Example certificate SAN: ise-psn-1.company.com certificate with
psn-vip.company.com multiple FQDN
sponsor.company.com values in SAN.
guest.company.com
“Universal Certs” psn.ise.company.com
*.ise.company.com
UCC or Wildcard SAN Certificates

Check box to use wildcards
CN must also exist in SAN

ise-psn ise-psn/Admin
Universal Cert options:

• UCC / Multi-SAN
• Wildcard SAN
ise-psn.company.com
mydevices.company.com Other FQDNs or wildcard as

sponsor.company.com
“DNS Names”
#CLMEL BRKSEC-3432 IP Address is also option
ISE Certificates For Your
Reference
General Best Practices
• Make sure all certificate CN names can be resolved by DNS

• Use lower case for appliance hostname, DNS name, certificate CN
• ISE cert CSR: Use format “CN=<FQDN>” for subject name
• Ensure time is synced – Use NTP with TZ-UTC for all nodes
• Signed by Trusted CA – required for each node
• For external users/guests, certs should be signed by 3rd-party CA
• Install entire certificate chains as individual certs into ISE trust store
• For Web admin, node communications, web portals, PEAP negotiation, select HTTPS option for
server certificate—currently limited to one cert
• For EAP-TLS, enable “Trust for client authentication” for trusted certs
• Use PEM, not DER encoding for import/export operations.
Load Balancer NAT Guidelines for Web Traffic For Your
Reference
URL-Redirected Traffic with Single PSN Interface
• No NAT Required • RADIUS

• Allow web portal traffic direct to PSN without NAT • Guest Portals
10.1.99.0/24
10.1.98.0/24 .5 .6 .7 .x
.1 .8 .1
10.1.10.0/24
Load Balancer ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
User
RADIUS session load-balanced to PSN @ 10.1.99.6
URL Redirect automatically includes FQDN/Interface IP of same PSN @ 10.1.99.6

https://ise-psn-2.company.com:8443/guestportal/Login...
Browser traffic redirected to IP for ise-psn-2.company.com:

https://10.1.99.6:8443/guestportal/Login...
Dedicated Web Interfaces under ISE 1.3+ For Your
Reference
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces
RADIUS session load-balanced to PSN @ 10.1.99.6

10.1.99.0/24
User A 10.1.10.0/24 10.1.98.0/24 .5 .6 .7 .x

.1 .8 .1
10.1.11.0/24 Load
L3 Switch
.1 Balancer ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24
Response to traffic received on an interface sent out same interface if default

User C
route exists for interface: No SNAT required!
Default route 0.0.0.0/0 10.1.99.1 eth0

Default route 0.0.0.0/0 10.1.91.1 eth1
Dedicated Web Interfaces under ISE 1.3+ For Your
Reference
Symmetric Traffic Flows
• Configure default routes for each interface to support symmetric return traffic
ise24-psn-x/admin# config t
Enter configuration commands, one per line. End with CNTL/Z.
ise13-psn-x/admin(config)# ip route 0.0.0.0 0.0.0.0 gateway 10.1.91.1
• Validate new default route

ise24-psn-x/admin# sh ip route What is default route for
outbound connections when
Destination Gateway Iface
multiple default routes
----------- ------- -----
10.1.91.0/24 0.0.0.0 eth1 configured?
10.1.99.0/24 0.0.0.0 eth0
default 10.1.91.1 eth1 ISE 1.3/1.4: Round-robin
default 10.1.99.1 eth0 ISE 2.0: ip default-gateway
For Your
Reference
SSL Certificates for Internal Server Names
After November 1, 2015 Certificates for Internal Names Will No Longer Be Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the Issuance
and Management of Publicly-Trusted Certificates that took effect on July 1, 2012. These
requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject Alternative Name
(SAN) extension or a Subject Common Name field containing a reserved IP address or internal server
name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a SAN or
Subject Common Name field containing a reserved IP address or internal server Name
Source: Digicert – https://www.digicert.com/internal-names.htm
Use Publicly-Signed Certs for Guest Portals! For Your
Reference
• Starting in ISE 1.3, HTTPS cert

for Admin can be different
from web portals Redirection based on first
• Guest portals can use a service-enabled interface;
different, public certificate if eth0, return host FQDN;
else return interface IP.
• Admin and internal employee
portals (or EAP) can still use
certs signed by private CA.
c Group
Public Portal Certificate
Certs assigned to this
group signed by 3rd-
party CA
CWA Example For Your
Reference
DNS and Port Settings–Single Interface Enabled for Guest Portal
• CWA Guest Portal access for ISE-PSN-1 configured for eth1
• IP Address for eth1 on ISE-PSN-1 is 10.1.91.5

ISE Node IP Address Interface
ISE-PSN-1 10.1.99.5 # eth0
ISE-PSN-1 10.1.91.5 # eth1
ISE-PSN-1 10.1.92.5 # eth2
ISE-PSN-1 10.1.93.5 # eth3
ISE-PSN-1 10.1.94.5 # eth4 I have a feeling this is
ISE-PSN-1 10.1.95.5 # eth5
going to end badly!
• Resulting URL Redirect = ???https://10.1.91.5:8443/...
CWA Example with FQDNs in SAN For Your
Reference
URL Redirection Uses First Guest-Enabled Interface (eth1) Admin/RADIUS:
eth0: 10.1.99.5
1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5. ISE-PSN1
2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://10.1.91.5:8443/...
3. User sends web request directly to ise-psn1 @ 10.1.99.5.
4. User receives cert name mismatch warning.
1 RADIUS request to ise-psn1 @ 10.1.99.5

RADIUS authorization: URL redirect =
https://10.1.91.5:8443/...
User
2
Access Device
https://10.1.91.5:8443/... L3 Switch
3 HTTPS response from 10.1.91.5 Guest

eth1: 10.1.91.5
Name Mismatch!
MyDevices
ISE Certificate Requested URL = 10.1.91.5
eth2: 10.1.92.5
Subject=
Certificate SAN = ise-psn1.comany.com
ise-psn1.company.com 4 = sponsor.company.com Sponsor
SAN = = mydevices.company.com eth3: 10.1.93.5
ise-psn1.company.com
sponsor.company.com
mydevices.company.com #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 485
Interface Aliases For Your
Reference
Specify alternate hostname/FQDN for URL redirection
• Aliases assigned to interfaces using ip host global config command in ADE-OS:

(config)# ip host <interface_ip_address> <hostname|FQDN> <hostname|FQDN>
• Up to two values can be specified—hostname and/or FQDN; if specify hostname, then globally
configured ip domain-name appended for use in URL redirection.
→ FQDN can have different domain than global domain!!!
• GigabitEthernet1 (GE1) Example:
ise-psn1/admin(config)# ip host 10.1.91.5 ise-psn1-guest ise-psn1-guest.company.com
• Host entry for Gigabit Ethernet 0 (eth0) cannot be modified

• Use show run to view entries; Use no ip host <ip_address> to remove entry.
• Change in interface IP address or alias requires application server restart.
Interface Alias Example For Your
Reference
DNS and Port Settings – Single Interface Enabled for Guest
• Interface eth1 enabled for Guest Portal

• (config)# ip host 10.1.91.5 ise-psn1-guest.company.com FQDN with
• URL redirect = https://ise-psn1-guest.company.com:8443/... Publicly-Signed
Cert
• Guest DNS resolves FQDN to correct IP address
DNS SERVER
DNS SERVER DOMAIN = COMPANY.LOCAL
DOMAIN = COMPANY.COM
ISE-PSN1 IN A 10.1.99.5 # eth0
ISE-PSN1-GUEST IN A 10.1.91.5 # eth1 ISE-PSN1-MDP IN A 10.1.92.5 # eth2
ISE-PSN1-SPONSOR IN A 10.1.93.5 # eth3
ISE-PSN2-GUEST IN A 10.1.91.6 # eth1
ISE-PSN3-GUEST IN A 10.1.91.7 # eth1 ISE-PSN2-MDP IN A 10.1.92.6 # eth2
ISE-PSN2-SPONSOR IN A 10.1.93.6 # eth3

ISE-PSN3-MDP IN A 10.1.92.7 # eth2
#CLMEL ISE-PSN3-SPONSOR
BRKSEC-3432
IN A 10.1.93.7
# eth3
CWA Example using Interface Alias For Your
Reference
URL Redirection Uses First Guest-Enabled Interface (eth1) Admin/RADIUS:
eth0: 10.1.99.5
1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5.
ISE-PSN1
2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://ise-psn1-guest:8443/...
3. DNS resolves alias FQDN ise-psn1-guest to 10.1.91.5 and sends web request
to ise-psn1-guest @ 10.1.99.5.
4. No cert warning received since SAN contains interface alias FQDN.
1 RADIUS request to ise-psn1 @ 10.1.99.5

RADIUS authorization: URL redirect =
https://ise-psn1-guest.company.com:8443/...
User
2
Access Device
L3 Switch
https://ise-psn1-guest.company.com:8443/...
3 HTTPS response from 10.1.91.5 All Web Portals
eth1: 10.1.91.5
Certificate OK!
ISE Certificate All Web Portals
Requested URL = ise-psn1-guest.company.com eth2: 10.1.92.5
Subject = Certificate SAN = ise-psn1-guest.company.com
ise-psn1.company.com
4 All Web Portals
SAN= ise-psn1- eth3: 10.1.93.5
guest.company.com
Could also use wildcard SAN or UCC cert
For Your
Reference
Load Balancing
SAML SSO Logins to ISE
Web Services
Load Balancing SAML Requests to ISE PSNs For Your
Reference
SAML SSO for ISE Web Portals
• Advantages:
• Easy configuration at the Identity Provider side; Ideal for multi-node deployments
• Only single ‘reply URL’ needed to be configured at the identity provider side
Azure Example
Load Balancing SAML For Your
Reference
Flow
• SAML IDP sends requests to LB

• LB forwards request to some
PSN in LB pool
• PSN reads
“SAML Relay State”
• If intended
target, then
process request
• If NOT intended
target, redirect
user to correct PSN
For Your
SAML IDP Reference
Employee machine need to have
resolution of the IDP server
(could be located at the cloud)
Load Balancer
Step 1. MAB Step 2. layer 3 redirect to (PSN 1)

authentication specific ISE Guest Portal
Step 3. Guest sends HTTP Redirects to the

IDP
Step 5. Guest portal is called with the Step 6. request redirected to different ISE
load balancer host name node (PSN 2)
Step 7. PSN 2 portal sends HTTP redirect to the correct ISE node (PSN 1) (using SAML relay state) ….
From here the session is enabled and flow continues
Load Balancing
ISE Profiling Services
Load Balancing Profiling Services
Sample Flow
DHCP Request to Helper IP 10.1.1.10 DHCP

2 Server
10.1.99.5
DHCP Response returned from DHCP Server
3
ISE-PSN-1
Load Balancer
DHCP Request to Helper IP 10.1.98.8
1 2
10.1.99.6
User Access Device VIP: 10.1.98.8 ISE-PSN-2

PSN-CLUSTER
4 10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to real ISE-PSN-3
DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on source IP
stick (L3 gateway) or DHCP field parsed from request.
Load Balancing Simplifies Device Configuration
L3 Switch Example for DHCP Relay
• Before !
interface Vlan10
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.99.5 <--- ISE-PSN-1
ip helper-address 10.1.99.6 <--- ISE-PSN-2
! Settings apply to each L3
interface servicing DHCP
• After ! endpoints
interface Vlan10
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.98.8 <--- LB VIP
!
Load Balancing Simplifies Device Configuration For Your
Reference
Switch Example for SNMP Traps
• Before !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.99.5 version 2c public mac-notification snmp
!
• After !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
!
Profiling Services using Load Balancers For Your
Reference
Which PSN Services Processes Profile Data?
• Profiling Probes
The following profile data can be load balanced to PSN VIP but may not be processed by same PSN that terminated
RADIUS:
• DHCP IP Helper to DHCP probe
Option to leverage Anycast to reduce log
• NetFlow export to NetFlow Probe
targets and facilitate HA
• SNMP Traps
• SNMP Query Probe (triggered)

PSNs configured to send SNMP Queries will send query to NAD that sent RADIUS or SNMP Trap which triggered query.
Therefore, SNMP Query data processed by same PSN that terminated RADIUS request for endpoint.
• SNMP Query Probe (polled)

Not impacted by load balancing, although possible that PSN performing polled query is not same PSN that terminates
RADIUS for newly discovered endpoints. PSN will sync new endpoint data with Admin. Since poll typically conducted at
longer intervals, this should not impact more real-time profiling of endpoints.
Profiling Services using Load Balancers (Cont.) For Your
Reference
Which PSN Services Process Profile Data?
• DNS Probe
Submitted by same PSN which obtains IP data for endpoint. Typically the same PSN that processes RADIUS, DHCP, or
SNMP Query Probe data.
• NMAP Probe
Submitted by same PSN which obtains data which matches profile rule condition.
• HTTP (via URL redirect)

URL redirect will point to PSN that terminates RADIUS auth so HTTP data will be parsed by same PSN.
• DHCP SPAN or HTTP SPAN

Since mirror port is associated to a specific interface on real PSN, cannot provide HA for SPAN data unless configure
multiple SPAN destinations to separate PSNs. No guarantee that same PSN that collects SPAN data terminates RADIUS
session.
Load Balancing Sticky Guidelines
Ensure DHCP and RADIUS for a Given Endpoint Use Same PSN
Persistence Cache:
11:22:33:44:55:66 -> PSN-3 10.1.99.5
ISE-PSN-1
MAC: 11:22:33:44:55:66 F5 LTM
RADIUS request to VIP
1 2
10.1.99.6
User
NAD RADIUS response from PSN-3
VIP: 10.1.98.8 ISE-PSN-2
DHCP Request IP Helper sends DHCP to VIP
3 4
5 10.1.99.7
1. RADIUS Authentication request sent to VIP @ 10.1.98.8.
2. Request is Load Balanced to PSN-3, and entry added to Persistence Cache ISE-PSN-3
3. DHCP Request is sent to VIP @ 10.1.98.8
4. Load Balancer uses the same “Sticky” as RADIUS based on client MAC address
5. DHCP is received by same PSN, thus optimizing endpoint replication
Live Log Output for Load Balanced Sessions
Synthetic Transactions
• Batch of test authentications generated from Catalyst switch:

# test aaa group radius radtest cisco123 new-code count 100
All RADIUS sent to LB

VIP @ 10.1.98.8
Requests evenly
distributed across real
servers:
ise-psn-1
ise-psn-2
ise-psn-3
Live Log Output for Load Balanced Sessions For Your
Reference
Real Transactions
• All RADIUS sent to LB VIP @ 10.1.98.10

1• All phone auth is load balanced from VIP to ise-psn-3 @ 10.1.99.7
2• All PC auth is load balanced to ise-psn-1 @ 10.1.99.5; URL Redirect traffic sent to same PSN.
3• CoA is sent from same PSN that is handling the auth session.
4• dACL downloads are sent from switch itself without a Calling-Station-Id or Framed-IP-Address. Request can be load
balanced to any PSN. Not required to pull dACL from same PSN as auth.
3
4 2
1
ISE and Load Balancers For Your
Reference
Failure Scenarios
• The VIP is the RADIUS Server, so if the entire VIP is down, then the NAD should fail over to the
secondary Data Center VIP (listed as the secondary RADIUS server on the NAD).
• Probes on the load balancers should ensure that RADIUS is responding as well as HTTPS, at a
minimum.
• Validate that RADIUS responds, not just that UDP/1812 & UDP/1813 are open
• Validate that HTTPS responds, not just that TCP/8443 is open
• Upon detection of failed node using probes (or node taken out of service), new requests will be
serviced by remaining nodes→ Minimum N+1 redundancy recommended for node groups.
• Configure LB cluster as a node group.
• If node group member fails, then another node-group member will issue CoA-reauth for Posture Pending
sessions, forcing the sessions to begin again and not be hung.
• Note: Node groups do not require load balancers
ISE and Load Balancers For Your
Reference
General Guidelines
• Do not use Source NAT(SNAT) from access layer for RADIUS; SNAT Optional for HTTP/S:
• ISE uses Layer 3 address to identify NAD, not NAS-IP-Address in RADIUS packet, so CoA fails.
• Each PSN must be reachable by the PAN / MNT directly without NAT.
• Each PSN must be reachable directly from client network for URL redirects (*Note sticky exception)
• Perform sticky (aka: persistence) based on Calling-Station-ID.
• Some load balancers support RADIUS Session ID; Others may be limited to Source IP (NAD IP).
• Optional “sticky buddies” (secondary attributes that persist different traffic to same PSN)
• *Framed-IP-Address if URL redirects must be sent through LB and not bypass LB.
• DHCP Requested IP Address to ensure DHCP Profile data hits same PSN that terminated RADIUS.
• VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
• Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
• If source NAT PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
• Load Balancers get listed as NADs in ISE so their test authentications may be answered.
Load Balancing
TACACS+
• Virtual IP = TACACS+ Server
Load Balancing TACACS+ • VIP listens on TCP/49
• Sticky based on source IP
Session Authentication, Authorization, and Accounting
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
10.1.99.5
1 tacacs-server host 10.1.98.18
Load Balancer ISE-PSN-1
2 TACACS+Session
TACACS+ SessionAUTHC
AUTH request
request to
to10.1.98.18
10.1.98.18
10.1.99.6
TACACS+
TACACS+Session
SessionAUTHC replyfrom
AUTH reply from10.1.98.18
10.1.98.18
Device Admin 4 ISE-CLUSTER
1. NAD has single TACACS+ Server defined (10.1.98.18) 10.1.99.7

2. TACACS+ Session Authentication requests sent to VIP @ 10.1.98.18
3. Requests from same Admin user load balanced to same PSN via sticky based on Source IP ISE-PSN-3
(NAD IP Address)
4. TACACS+ response received from VIP @ 10.1.98.18
• Virtual IP = TACACS+ Server
Load Balancing TACACS+ • VIP listens on TCP/49
• Sticky based on source IP
Session Authentication, Authorization, and Accounting
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
10.1.99.5
2 TACACS+ Session
TACACS+ Session ACCTG
AUTHZ request
AUTHC request to
to 10.1.98.18
10.1.98.18
10.1.99.6
TACACS+
TACACS+ Session
TACACS+Session AUTHC
SessionAUTHZ reply
ACCTGreply from
replyfrom 10.1.98.18
from10.1.98.18
10.1.98.18
Device Admin 4 5 ISE-CLUSTER
1. NAD has single TACACS+ Server defined (10.1.98.18) 10.1.99.7

2. TACACS+ Session Authentication requests sent to VIP @ 10.1.98.18 3
3. Requests from same Admin user load balanced to same PSN via sticky based on Source IP ISE-PSN-3
(NAD IP Address)
5. TACACS+ Session Authorization & Accounting sent to/from same PSN per sticky
No session like RADIUS, so T+ requests can go
Load Balancing TACACS+ to different PSNs, but recommend stick to
same PSN for logging/trouble-shooting and for
Command Authorization and Accounting single connect mode.
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
10.1.99.5
2 TACACS+ CMD#2
CMD#1 AUTHZ
ACCTG request to 10.1.98.18
10.1.99.6
TACACS+ CMD#2
TACACS+ CMD#2
CMD#1 ACCTG
CMD#1 AUTHZ reply
replyfrom
from10.1.98.18
10.1.98.18
Device Admin 4 5 ISE-CLUSTER
1. Once Session Authenticated, Command Authorization/Accounting can begin. 10.1.99.7

2. TACACS+ Command Authorization request sent to VIP @ 10.1.98.18 3
3. Requests from same Admin user load balanced to same PSN via sticky based on Source ISE-PSN-3
IP (NAD IP Address)
5. TACACS+ Command Accounting sent to/from same PSN per sticky
Load Balancing TACACS+
General Recommendations
• Load Balance based on TCP/49.
• Source NAT (SNAT) can be used – No CoA like RADIUS
• Recommend LB inline with TACACS traffic, else need to address TCP asymmetry.
• Without SNAT, make sure PSNs set default gateway to LB internal interface IP.
• Persistence – Recommend source IP address

• Based on assumption that number of T+ clients high and requests per client is low.
• Health Monitoring options:

• Simple response to TCP/49
• 3-way handshake expected response
• Scripts can be used to validate full auth flow.
Packet format: http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt

Packet capture(encrypted):https://www.cloudshark.org/captures/1a9c284c49b0
Load Balancing TACACS+ For Your
Reference
General Recommendations
1. Configure Virtual Server to LB on tcp/49.
2. SNAT should work as ISE servers do not need to initiate conversation to the TACACS+ clients like RADIUS CoA, but all
requests will appear to emanate from LB rather than from the NAD clients. In either case, LB should be physically or
logically inline with the TACACS traffic to ensure full processing of the flow and handling of the TCP session. Without
SNAT, need to make sure LB internal interface IP is the default gateway for the ISE PSNs (TACACS+ servers).
3. Persistence can be based on simple source IP address based on assumption that the number of T+ clients is high and
individual requests per client is relatively low. This should allow for sufficient distribution of requests across ISE
PSNs and help ensure Authentication, Authorization, and Accounting requests do not get load balanced between ISE
servers. More granular LB based on session ID (or even username) may be possible, but recommend keep it simple
to ensure persistence locked to given device. (Initial TCP session establishment will not have TACACS payload.
Standard T+ Packet header has Session_ID, but username would be in payload.)
4. Health monitoring can be based on response to tcp/49, or 3-way handshake based expected response, but some
customers have used more advanced checks like perl script or scripted tcp to validate full auth process.
Packet format: http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt

Packet capture(encrypted):https://www.cloudshark.org/captures/1a9c284c49b0
TACACS+ Configuration For Your
Reference
Catalyst Switch Example
Example using tacacs-server host
tacacs-server host 10.1.98.18 timeout 4 key 0 cisco123 single-connection Define each PSN (or LB VIP) serving TACACS+
tacacs-server host 10.2.98.18 timeout 4 key 0 cisco123 single-connection Single connect reuses single TCP connection; default
tacacs-server retransmit tries timeout is 5 seconds;
! default retransmit is 2 tries
aaa new-model
aaa authentication login default group tacacs+ local Enable TACACS+ session authentication
aaa authentication enable default group tacacs+ enable Enable TACACS+ enable mode authentication
aaa authorization exec default group tacacs+ local if-authenticated Enable TACACS+ CLI session authorization
aaa authorization commands 1 default group tacacs+ if-authenticated Enable TACACS+ command authorization (priv 1)
aaa authorization commands 15 default group tacacs+ if-authenticated Enable TACACS+ command authorization (priv 15)
aaa accounting exec default start-stop group tacacs+ Enable TACACS+ session accounting
aaa accounting commands 1 default start-stop group tacacs+ Enable TACACS+ command accounting (priv 1)
aaa accounting commands 15 default start-stop group tacacs+ Enable TACACS+ command accounting (priv 15)
!
ip tacacs source-interface loopback0 Configure source interface (IP addr) for TACACS+ Server
requests (must match ISE NAD config)
LDAP Server Redundancy
and Load Balancing
Per-PSN LDAP Servers
• Assign unique
Primary and
Secondary to
each PSN
• Allows each PSN

to use local or
regional LDAP
Servers
Load Balancing
LDAP Servers
Lookup1
Lookup2 = ldap.company.com
Response = 10.1.95.7
10.1.95.6
10.1.95.5
15 minute reconnect timer
ldap1.company.com
LDAP Query to 10.1.95.7
10.1.95.6
10.1.95.6
10.1.95.6
LDAP Response from 10.1.95.7
ldap2.company.com
PSN
10.1.95.7
ldap3.company.com
For Your
Reference
Sample Vendor
Load Balancer
Configurations for
Cisco ISE
Vendor-Specific LB Configurations
• F5 LTM
• Citrix NetScaler https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759
• Cisco ACE
• Cisco ITD (Note)
F5 LTM For Your
Reference
• Cisco Communities
https://community.cisco.com/t5/security-documents/ise-load-
balancing/ta-p/3648759
• Cisco and F5 Deployment Guide: ISE Load
Balancing using BIG-IP:
https://community.cisco.com/t5/security-documents/how-to-
cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-
p/3631159
• Linked from F5 website under Cisco Alliance
page > White Papers:
https://f5.com/solutions/technology-alliances/cisco
• Configuring F5 LTM for Cisco ISE LB:

https://community.cisco.com/t5/security-
documents/configuring-f5-ltm-for-cisco-ise-load-balancing/ta-
p/3642134
• BRKSEC-3699 Reference Presentation Complete

working config + screenshots
https://www.ciscolive.com/online/connect/sessionDetail.ww?SES
SION_ID=94152 #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 516
For Your
Reference
Citrix NetScaler
• Cisco Communities > ISE Load Balancing

• https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759
• Citrix NetScaler 1000V Load Balancing Config for ISE
• https://ciscomarketing.jiveon.com/docs/DOC-64441
• ISE and Citrix NetScaler for LB

• Detailed discussion on NetScaler Persistence, CoA NAT, etc:
• https://supportforums.cisco.com/discussion/11949336/ise-and-citrix-netscaler-lb
For Your
Reference
Cisco ACE Load Balancer
• Cisco Communities > ISE Load Balancing
• https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-
p/3648759
• Configuring ACE for Cisco ISE Load Balancing
• Complete working configuration
• https://community.cisco.com/t5/security-documents/configuring-ace-for-cisco-ise-
load-balancing/ta-p/3642008
Intelligent Traffic Director (ITD)
Can I Use Cisco ITD to Load Balance ISE Traffic?
• As of June 2017, these are the key considerations

and limitations for deploying ISE with ITD for RADIUS LB:
• Prior to NX-OS 7.2(1), ITD assumes support for Direct Server Return (DSR). ISE does not support this option.
• ITD added support for non-DSR (destination NAT) in NX-OS Software 7.2(1)D1(1) (also known as Gibraltar MR)
on Nexus 7k series of switches only. Destination NAT is necessary to have packets properly forwarded to/from
PSNs through ITD.
• Currently no support for persistence based on Calling-Station-ID, Session ID, or other RADIUS attributes.
Stickiness would need to rely on source IP (NAD IP address)
—only feasible if have good distribution of endpoints across NADs of equal capacity.
• Currently no support for RADIUS health probes; must rely on simple ping/port checks.
• Currently no support source NAT, so would need extra configuration for CoA to work. For Your
Reference
PSN HA Without Load
Balancers
For Your
Reference
How can my company

get HA and scalability
without load balancers?
Load Balancing Web Requests Using DNS
Client-Based Load Balancing/Distribution Based on DNS Response
• Examples:
• Cisco Global Site Selector (GSS) / F5 BIG-IP GTM / Microsoft’s DNS Round-Robin feature
• Useful for web services that use static URLs including LWA, Sponsor, My Devices, OCSP.
10.1.99.5 10.1.99.6 10.2.100.7 10.2.100.8

sponsor IN A 10.1.99.5
sponsor IN A 10.1.99.6
What is IP address for sponsor IN A 10.2.100.7 What is IP address for
sponsor.company.com? sponsor IN A 10.2.100.8 sponsor.company.com?
DNS SOA for company.com
10.1.60.105 10.1.99.5 10.2.100.8 10.2.5.221
Using Anycast for ISE Redundancy For Your
Reference
Profiling Example
Provided dedicated
User
interface or LB VIPs
used, Anycast may be
used for Profiling, Web
Portals (Sponsor, Guest
LWA, and MDP) and
RADIUS AAA!
ACCESS1
ISE-PSN-1
ACCESS3
NADs are
configured with
single Anycast IP
ACCESS2 address.
ISE-PSN-2
Ex: 10.10.10.10
#CLMEL BRKSEC-3432
Anycast address should only be applied to ISE
ISE Configuration for Anycast secondary interfaces, or LB VIP, but never to ISE
GE0 management interface.
On each PSN that will participate in Anycast…

1. Configure PSN probes to profile
DHCP (IP Helper), SNMP Traps, or
NetFlow on dedicated interface
2. From CLI, configure dedicated interface
with same IP address on each PSN node.
ISE-PSN-1 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0
ISE-PSN-2 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0
Routing Configuration for Anycast
Sample Configuration
• Access Switch 1 • Access Switch 2

Both switches interface gigabitEthernet 1/0/23
interface gigabitEthernet 1/0/23
advertise same no switchport
no switchport
network used for ip address 10.10.10.51 255.255.255.0
ip address 10.10.10.50 255.255.255.0
profiling but !
!
router eigrp 100
different metrics router eigrp 100
no auto-summary no auto-summary
redistribute connected route-map CONNECTED- redistribute connected route-map CONNECTED-
2-EIGRP 2-EIGRP
! !
route-map CONNECTED-2-EIGRP permit 10 route-map CONNECTED-2-EIGRP permit 10
match ip address prefix-list 5 match ip address prefix-list 5
set metric 1000 100 255 1 1500 set metric 500 50 255 1 1500 # less preferred
set metric-type internal set metric-type external
! !
route-map CONNECTED-2-EIGRP permit 20 route-map CONNECTED-2-EIGRP permit 20
ip prefix-list 5 seq 5 permit 10.10.10.0/24 ip prefix-list 5 seq 5 permit 10.10.10.0/24
NAD-Based RADIUS Server Redundancy (IOS)
Multiple RADIUS Servers Defined in Access Device
• Configure Access Devices with multiple RADIUS Servers.

• Fallback to secondary servers if primary fails
RADIUS Auth PSN1 (10.1.2.3)
PSN2 (10.4.5.6)
User
PSN3 (10.7.8.9)
radius-server host 10.1.2.3 auth-port 1812 acct-port 1813

NAD-Based TACACS+ Server Redundancy (IOS)
Multiple TACACS+ Servers Defined in Access Device
For Your
Reference
• Configure Access Devices with multiple TACACS+ Servers.
• Fallback to secondary servers if primary fails
T+ Auth PSN1 (10.1.2.3)
PSN2 (10.4.5.6)
User
PSN3 (10.7.8.9)
tacacs-server host 10.1.2.3

NAD-Based Redundancy to Different Data Centers
RADIUS Example – Different RADIUS VIP Addresses For Your
Reference
• Configure access devices with each PSN LB

cluster VIP as a RADIUS Server. LB-1 PSN1 (10.1.99.5)
(10.1.98.8)
• Fallback to secondary DC DC #1
PSN2 (10.1.99.6)
if primary DC fails
PSN3 (10.1.99.7)
RADIUS Auth
LB-2 PSN1 (10.2.101.5)
User Network (10.2.100.2)
Access Device
Same principles PSN2 (10.2.101.6)
apply whether point DC #2
to individual PSNs PSN3 (10.2.101.7)
or LB VIPs!
RADIUS Example – Single RADIUS VIP Address using Anycast For Your
Reference
• Configure access devices with each PSN LB

cluster VIP as a RADIUS Server. LB-1 PSN1 (10.1.99.5)
(10.1.98.8)
• Fallback to secondary DC DC #1
PSN2 (10.1.99.6)
if primary DC fails.
PSN3 (10.1.99.7)
RADIUS Auth
LB-2 PSN1 (10.2.101.5)
User Network (10.1.98.8)
Access Device
If not using LB, then must PSN2 (10.2.101.6)
configure PSN DC #2
secondary interfaces PSN3 (10.2.101.7)
with Anycast address.
Profiling Example – Different DHCP VIP Addresses For Your
Reference
• Configure access devices with PSN cluster VIP as

an IP Helper. LB1 PSN1 (10.1.99.5)
(10.1.98.11)
• Both Data Centers receive copy DC #1
PSN2 (10.1.99.6)
of DHCP Profiling data
• Same principles apply without LB.
PSN3 (10.1.99.7)
DHCP Relay
LB2 PSN1 (10.2.101.5)
(10.2.100.3)
User Network Access
Device PSN2 (10.2.101.6)
DC #2
interface VLAN 10 PSN3 (10.2.101.7)
ip address A.B.C.D 255.255.255.0
ip helper-address X.X.X.X # Real
ip helper-address 10.1.98.11 # LB1
ip helper-address 10.2.100.3 # LB2#CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 530
Profiling Example – Single DHCP VIP Address using Anycast For Your
Reference
• Configure access devices with a single IP

Helper—shared across PSNs or VIPs. LB1 PSN1 (10.1.99.5)
(10.1.98.11)
• Fallback to secondary DC if routing DC #1
PSN2 (10.1.99.6)
to primary DC fails
PSN3 (10.1.99.7)
DHCP Relay
LB2 PSN1 (10.2.101.5)
(10.1.98.11)
User Network Access
Device PSN2 (10.2.101.6)
DC #2
interface VLAN 10 PSN3 (10.2.101.7)

ip address A.B.C.D 255.255.255.0
ip helper-address X.X.X.X # Real If not using LB, then must configure PSN
ip helper-address 10.1.98.11 # Anycast secondary interfaces with Anycast address.
IOS-Based RADIUS Server Load Balancing
Switch Dynamically Distributes Requests to Multiple RADIUS Servers
• RADIUS LB feature distributes batches of AAA transactions to servers within a group.

• Each batch assigned to server with least number of outstanding transactions.
RADIUS PSN1 (10.1.2.3)

NAD controls the load
User 1 distribution of AAA
PSN2 (10.4.5.6) requests to all PSNs in
RADIUS group without
dedicated LB.
PSN3 (10.7.8.9)
User 2

radius-server load-balance method least-outstanding batch-size 5
BRKSEC-3432
IOS-Based RADIUS Server Load Balancing
Sample Live Log
• Use test aaa group
command from IOS CLI to
test RADIUS auth
requests
Reasonable load distribution

across all PSNs
Example shows 3 PSNs in

RADIUS group
cat3750x# test aaa group radius radtest cisco123 new users 4 count 50
AAA/SG/TEST: Sending 50 Access-Requests #CLMEL
@ 10/sec, 0 Accounting-Requests @ 10/sec
BRKSEC-3432
NAD-Based RADIUS Redundancy (WLC)
Wireless LAN Controller
• Multiple RADIUS Auth & Accounting Server Definitions

• RADIUS Fallback options: none, passive, or active
Password=
Username
Off = Continue exhaustively through list;

never preempt to preferred server (entry
with lowest index)
Passive = Quarantine failed RADIUS server
for interval then return to active list w/o
validation; always preempt.
Active = Mark failed server dead then
actively probe status per interval
w/username until succeed before return
to list; always preempt.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml
HA/LB Summary Table For Your
Reference
Comparison of Various HA/LB Methods
HA/LB Where Configured? Primary USE Pros Cons
Method Cases
Local Load Centrally using LB RADIUS Large scaling, Fast failover, better load Higher up-front cost and
Balancers near PSN cluster HTTP/S distribution, in/out servicing, single IP, complexity
Profiling adds flexibility, lowers TCO
DNS/Global Centrally using DNS LWA / Large scaling, better load distribution, Somewhat higher cost and
LB Sponsor / in/out servicing, single URL complexity
MDP Portals
Anycast Centrally using Web Portals, Lower cost, supports simple route-based Higher complexity
routing Profiling, distribution, in/out service, single IP
RADIUS
NAD RADIUS Distributed in local RADIUS, Low cost and complexity, deterministic Management of distributed
Server List NAD config Profiling distribution lists, poor load distribution
(Sensor)
IOS RADIUS Distributed in local RADIUS Low cost and complexity, better per-NAD Management of distributed
LB NAD config load distribution lists
BRKSEC-3432
NAD Fallback and Recovery

Session Agenda
PSN Load Balancing You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
NAD Fallback and Recovery
Common Questions
Q: How does NAD detect failed RADIUS servers?
A: Test Probes and Test User accounts
Q: What is the default behavior when ALL RADIUS servers down?

A: Unless using ‘authentication open’ no access is granted for unauthorized ports.
Q: Which fallback methods are available?

A: Critical Authentication VLAN for Data and Voice; Critical ACLs; EEM controls
Q: What is the impact of using VLAN-based fallback methods?

A: Users may still be blocked by port ACLs or may not get IP if VLAN changes
Q: Which recovery methods are available?

A: Reinitialize ports when RADIUS server available
In example, servers are marked “dead” if no response in 60
NAD Fallback and Recovery seconds (1 transmit + 3 retransmits w/15 second timeout).
After 2 minutes, RADIUS test probe will retry server and mark
Dead RADIUS Server Detection & Recovery “alive” if response; otherwise recheck every 2 minutes(deadtime).
For Your
Example using radius-server host Reference Some releases may require idle-time to be set lower than dead-
time. (CSCtr61120)
interface X
authentication event fail action next-method
authentication event server dead action reinitialize vlan 11 Move new hosts to specified critical data VLAN
authentication event server dead action authorize voice Authorize new phones to voice VLAN
authentication event server alive action reinitialize Reauthenticate endpoints on port once server “alive”
authentication violation restrict Deny access to violating host but do not disable port
radius-server dead-criteria time 30 tries 3 Conditions to mark server as “dead” (Ex: 60 sec.)
radius-server deadtime 2 Minutes before retrying server marked as “dead”
authentication critical recovery delay 1000 Throttle requests for critical ports once server “alive”
dot1x critical eapol Send EAPOL-Success when auth critical port
epm access-control open Permit access if no dACL returned with successful auth
radius-server host 10.1.98.8 auth-port 1812 acct-port 1813 test username RADIUS server definition including periodic test to detect server
radtest ignore-acct-port key cisco123 dead/alive:
username ‘radtest’: Locally defined test user to auth
radius-server host 10.2.101.3 auth-port 1812 acct-port 1813 test username idle-time: default = 60 = “Send test probe 1 per hour”
radtest ignore-acct-port key cisco123 ignore-acct-port : Test auth-port on
Fallback RADIUS server if primary server fails
NAD Fallback and Recovery For Your
Reference
‘aaa radius group’ Example
interface X
• Similar configuration as previous example but authentication event server dead action reinitialize vlan 11
using aaa radius group and radius server authentication event server dead action authorize voice
authentication event server alive action reinitialize
host commands authentication violation restrict
• radius server host defines individual RADIUS authentication critical recovery delay 1000
dot1x critical eapol
servers with separate lines for config epm access-control open
parameters radius-server dead-criteria time 30 tries 3
radius-server deadtime 2
• aaa radius group defines RADIUS group with aaa group server radius psn-clusters
individual server entries listed server name psn-cluster1
server name psn-cluster2

automate-tester username radtest ignore-acct-port key cisco123

automate-tester username radtest ignore-acct-port key cisco123
NAD Fallback and Recovery Sequence
Endpoint Access Switch Policy Service Node
Layer 2 Point-to-Point Layer 3 Link
Auth Request Auth Request
Retry
15 sec, Auth-Timeout
Access VLAN 10 (or Authorized VLAN) Retry
Detection
Retry
radius-server dead-criteria 15 tries 3
Dead
SERVER DEAD
Authorize Critical VLAN 11 Wait Deadtime = 2 minutes Deadtime Test request

No response Deadtime Test request
Traffic permitted on Critical VLAN per port ACL
No response
Deadtime
Deadtime Test request

No response Deadtime Test request
radius-server deadtime 2 Deadtime Test reply
authentication event server dead action reinitialize vlan 11 SERVER ALIVE
Reinitialize Port / Set Access VLAN per Recovery Interval
60 minute Idle-Time
Traffic permitted per RADIUS authorization
Recovery
Idle-Time Test request

radius-server host ... test username radtest idle-time 60 key cisco123 Idle-Time Test request
authentication critical recovery delay 1000
RADIUS Test User Account
Which User Account Should Be Used?
• Does NAD uniformly treat Auth Fail and Success the same for detecting server health?
IOS treats them the same; ACE RADIUS probe treats Auth Fail= “server down”. Check your LB behavior.
• Do I use an Internal or External ID store account?
If goal is to validate backend ID store, then Auth Fail may not detect external ID store failure.
• IOS Example: Failover on AD failure. Solution: Drop auth requests when external ID store is down.
• Identity Server Sequence > Advanced Settings:
Authentication Policy > ID
Source custom
processing based on
authentication results
• ACE Example: If auth fails, then PSN declared down.

Solution: Create valid user account so ACE test probes
return Access-Accept.
• Could this present a potential security risk?
RADIUS Test User Account
Access-Accept or Access-Reject?
• If valid user account used, how prevent unauthorized access using probe account?
If Auth Fail treated as probe failure, then need valid account in ISE db or external store.
• Match auth from probes to specific source/NDG, Service Type, or User Name.
• Allow AuthN to succeed, but return AuthZ that denies access.
Access-Accept
dACL = deny ip any any
Inaccessible Authentication Bypass (IAB)
Also Known As “Critical Auth VLAN” for Data
Critical VLAN
Access VLAN WAN or PSN Down
WAN / Internet
Client Access Switch PSN
• Switch detects PSN unavailable by one of two methods

• Periodic probe
• Failure to respond to AAA request Critical Data VLAN can be anything:
• Same as default access VLAN
• Enables port in critical VLAN • Same as guest/auth-fail VLAN
• Existing sessions retain authorization status • New VLAN
• Recovery action can re-initialize port when AAA returns

authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice Critical Voice VLAN
For Your
Reference
Critical Auth for Data VLAN
Sample Configuration
radius-server 10.1.10.50 test username KeepAliveUser key cisco
radius-server dead-criteria time 15 tries 3
radius-server deadtime 1
interface GigabitEthernet1/13
switchport access vlan 2
switchport mode access
switchport voice vlan 200
authentication event server dead action authorize vlan 100
authentication order dot1x mab
dot1x pae authenticator
authentication port-control auto
dot1x timeout tx-period 10
dot1x max-req 2
mab
spanning-tree portfast
Critical Auth for Data
Data VLAN Enabled
interface GigabitEthernet 3/48

authentication event server dead action authorize vlan x
Critical Auth for Voice VLAN (CVV)
Voice VLAN Enabled

authentication event server dead action authorize voice
Critical Auth for Data and Voice
Voice VLAN Enabled
Data VLAN Enabled

authentication event server dead action authorize vlan x
# show authentication sessions interface fa3/48

…
Critical Authorization is in effect for domain(s) DATA and VOICE
Multiple Hosts and Critical Auth For Your
Reference
Critical Auth for Data and Voice
• Multi-MDA:
Router(config-if)# authentication event server dead action authorize vlan 10
Router(config-if)# authentication event server dead action authorize voice
Behavior: Existing data sessions stay authorized in current VLAN; New sessions authorized to VLAN 10
• Multi-Auth:
Router(config-if)# authentication event server dead action reinitialize vlan 10
Router(config-if)# authentication event server dead action authorize voice
Behavior: All existing data sessions re-authorized to VLAN 10; New sessions are authorized to VLAN 10
• Catalyst Switch Support: Series Multi-Auth w/VLAN Critical Auth for Voice
2k/3k 12.2(55)SE 15.0(1)SE
4k 15.0(2)SG 15.0(2)SG
IOS XE 3.2.0SG IOS XE 3.2.0SG
6k 12.2(33)SXJ 12.2(33)SXJ1
Default Port ACL Issues with No dACL Authorization
Limited Access If ISE Policy Fails to Return dACL! For Your
Reference
• User authentications successful, but authorization profile does not include dACL to permit
access, so endpoint access still restricted by existing port ACL!
EAP Request RADIUS Access-Request Auth Success

EAP Success RADIUS Access-Accept Authorization Profile =
Employee
Access Type = Access-
Accept
Only DHCP/DNS/PING/TFTP allowed ! NO dACL!
interface GigabitEthernet1/0/2 ip access-list extended ACL-DEFAULT

switchport access vlan 10 permit udp any eq bootpc any eq bootps
switchport voice vlan 13 permit udp any any eq domain
ip access-group ACL-DEFAULT in permit icmp any any
permit udp any any eq tftp
Protecting Against “No dACL” Authorization For Your
Reference
EPM Access Control
• If authentication successful and no dACL returned, a permit ip host any entry is created for the
host. This entry is created only if no ACLs are downloaded from ISE.
EAP Request RADIUS Access-Request Auth Success

EAP Success RADIUS Access-Accept Authorization Profile =
Employee
Access Type
= Access-Accept
ALL traffic allowed ! NO dACL!
Insert at top of port ACL:
permit ip any any
epm access control open
ip access-list extended ACL-DEFAULT 2k/3k: 12.2(55)SE
interface GigabitEthernet1/0/2 permit udp any eq bootpc any eq bootps 4k: 12.2(54)G
switchport access vlan 10 permit udp any any eq domain 6k: 15.2(1)SY
switchport voice vlan 13 permit icmp any any
ip access-group ACL-DEFAULT in permit udp any any eq tftp
Default Port ACL Issues with Critical VLAN
Limited Access Even After Authorization to New VLAN!
• Data VLAN reassigned to critical auth VLAN, but new (or reinitialized) connections are still
restricted by existing port ACL!
Critical
Access VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
Only DHCP/DNS/PING/TFTP allowed !

Default ACL

authentication event server dead action reinitialize vlan 11 permit udp any any eq tftp
Critical VLAN w/o Explicit Default Port ACL For Your
Reference
Low Impact versus Closed Mode
• One solution to dACL + Critical Auth VLAN issue is to simply remove the port ACL!
• No static port ACL required for dACLs in current 2k/3k/4k.

2k/3k: 12.2(55)SE 4k:
12.2(54)G
• Low Impact Mode Use Case:
6k: 15.2(1)SY
• Initial access permits all traffic
• Pro: Immediately allows access to critical services for all endpoints including PXE and WoL devices
• Con: Temporary window which allows any unauthenticated endpoint to get full access
• Closed Mode User Case

• No initial access but default authorization can assign default access policy (typically CWA)
• Pro: No access until port authorized
• Con: Some endpoints may fail due to timing requirements such as PXE or WoL
Using Embedded Event Manager with Critical VLAN
Modify or Remove/Add Static Port ACLs Based on PSN Availability
• EEM available on 3k/4k/6k
• Allows scripted actions to occur based on various conditions and triggers
event manager applet default-acl-fallback
event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5
action 1.0 cli command "enable" Single RADIUS Server
action 1.1 cli command "conf t" pattern "CNTL/Z." (LB VIP) example
action 2.0 cli command "ip access-list extended ACL-DEFAULT" shown.
action 3.0 cli command "1 permit ip any any"
action 4.0 cli command "end" Multi-server option:
%RADIUS-3-
event manager applet default-acl-recovery ALLDEADSERVER
event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "ip access-list extended ACL-DEFAULT"
action 3.0 cli command "no 1 permit ip any any"
action 4.0 cli command "end"
EEM Example
Remove and Add Port ACL on RADIUS Server Status Syslogs
• Port ACLs block new user connections during Critical Auth
WAN or PSN Down

Critical VLAN
Access VLAN Gi1/0/5 EEM
●
Only DHCP/DNS/PING/TFTP
All user traffic allowed allowed
● ACL-DEFAULT
●
• EEM detects syslog message %RADIUS-3- • EEM detects syslog message %RADIUS-6-
ALLDEADSERVER: Group radius: No active SERVERALIVE: Group radius: Radius server
radius servers found and removes ACL- 10.1.98.8:1812,1813 is responding again
DEFAULT. (previously dead)and adds ACL-DEFAULT.
event manager applet remove-default-acl event manager applet add-default-acl
event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5 event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
action 1.0 cli command "enable" action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z." action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "interface range gigabitEthernet 1/0/1 - 24" action 2.0 cli command "interface range gigabitEthernet 1/0/1 - 24"
action 3.0 cli command "no ip access-group ACL-DEFAULT in" action 3.0 cli command "ip access-group ACL-DEFAULT in"
action 4.0 cli command "end" action 4.0 cli command "end"
EEM Example 2 For Your
Reference
Modify Port ACL Based on Route Tracking
cat6500(config)# track 1 ip route 10.1.98.0 255.255.255.0 reachability

cat6500(config)# event manager applet default-acl-fallback
cat6500(config-applet)# event track 1 state down maxrun 5
cat6500(config-applet)# action 1.0 cli command "enable"
cat6500(config-applet)# action 1.1 cli command "conf t" pattern "CNTL/Z."
cat6500(config-applet)# action 2.0 cli command "ip access-list extended ACL-DEFAULT"
cat6500(config-applet)# action 3.0 cli command "1 permit ip any any"
cat6500(config-applet)# action 4.0 cli command "end"
cat6500(config)# event manager applet default-acl-recovery
cat6500(config-applet)# event track 1 state up maxrun 5
cat6500(config-applet)# action 1.0 cli command "enable"
cat6500(config-applet)# action 1.1 cli command "conf t" pattern "CNTL/Z."
cat6500(config-applet)# action 2.0 cli command "ip access-list extended ACL-DEFAULT"
cat6500(config-applet)# action 3.0 cli command "no 1 permit ip any any"
cat6500(config-applet)# action 4.0 cli command "end"
Using Embedded Event Manager with Critical VLAN
Modify or Remove/Add Static Port ACLs Based on PSN Availability
• Allows scripted actions to occur based on various conditions and triggers
track 1 ip route 10.1.98.0 255.255.255.0 reachability
event manager applet default-acl-fallback
event track 1 state down maxrun 5
action 2.0 cli command "ip access-list extended ACL-DEFAULT" EEM available on
action 3.0 cli command "1 permit ip any any"
Catalyst 3k/4k/6k
event manager applet default-acl-recovery switches
event track 1 state up maxrun 5
action 2.0 cli command "ip access-list extended ACL-DEFAULT"
action 3.0 cli command "no 1 permit ip any any"
https://supportforums.cisco.com/document/117596/cisco-eem-basic-overview-and-sample-configurations
https://supportforums.cisco.com/document/48891/cisco-eem-best-practices
#CLMEL © 2019 CiscoBRKSEC-3432
and/or its affiliates. All rights reserved. Cisco Public 557
Critical ACL using Service Policy Templates
Apply ACL, VLAN, or SGT on RADIUS Server Failure!
• Critical Auth ACL applied on Server Down
Critical
Access VLAN
VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
Default ACL
Only DHCP/DNS/PING/TFTP allowed !

access-session port-control auto permit udp any any eq tftp
mab
service-policy type control subscriber ACCESS-POLICY
2k/3k/4k: 15.2(1)E
Critical ACL using Service Policy Templates 3k IOS-XE: 3.3.0SE
4k: IOS-XE 3.5.0E
Apply ACL, VLAN, or SGT on RADIUS Server Failure! 6k: 15.2(1)SY
• Critical Auth ACL applied on Server Down
Critical
Access VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
Default
Critical ACL
Deny PCI networks; Permit Everything
Only DHCP/DNS/PING/TFTP allowed ! Else !
policy-map type control subscriber ACCESS-POLICY
event authentication-failure match-first ip access-list extended ACL-CRITICAL
ACL-DEFAULT
10 class AAA_SVR_DOWN_UNAUTHD do-until-failure
remark Denyany
permit udp access to PCI any
eq bootpc zoneeqscopes
bootps
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE deny tcpudp
permit anyany
172.16.8.0 255.255.240.0
any eq domain
30 activate service-template CRITICAL-ACCESS deny udp
permit anyany
icmp 172.16.8.0
any 255.255.240.0
service-template CRITICAL-ACCESS deny ipudp
permit any any
192.168.0.0 255.255.0.0
any eq tftp
access-group ACL-CRITICAL permit ip any any
!
service-template CRITICAL_AUTH_VLAN
vlan 10
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE #CLMEL BRKSEC-3432 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 559
username 000c293c8dca password 0 000c293c8dca
username 000c293c8dca aaa attribute list mab-local
Critical MAB !
aaa local authentication default authorization mab-local
aaa authorization credential-download mab-local local
Local Authentication During Server Failure !
aaa attribute list mab-local
attribute type tunnel-medium-type all-802
attribute type tunnel-private-group-id "150"
000c.293c.8dca attribute type tunnel-type vlan
attribute type inacl "CRITICAL-V4"
!
policy-map type control subscriber ACCESS-POL
...
event authentication-failure match-first
WAN 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-↵
until-failure
10 terminate mab
20 terminate dot1x
? 30 authenticate using mab aaa authc-↵
list mab-local authz-list mab-local
000c.293c.331e
...
▪ Additional level of check to authorize hosts during a critical condition.

▪ EEM Scripts could be used for dynamic update of whitelist MAC addresses
▪ Sessions re-initialize once the server connectivity resumes.
BRKSEC-3432
Monitoring Load and

System Health
Session Agenda
Monitoring Load and System Health You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Home Dashboard - High-Level Server Health
Server Health/Utilization Reports
Operations > Reports > Diagnostics > Health Summary
For Your
Reference
Replication – Message Queue Backlog
Administration > System > Deployment
ISE Application Status (ISE 2.2) For Your
Reference
# show application status ise
ISE 2.2 adds:

• EST Service
• Wifi Setup Helper details
• Individual Passive ID collection
services
Reference
ISE 2.4 adds:

• ISE RabbitMQ Container
Reference
ISE 2.6 adds:

• ISE RabbitMQ Container
renamed to ISE Messaging
Service
KPM in a Nutshell For Your
Reference
• What is KPM?
• KPM stands for Key Performance Metrics. These are the metrics collected from the
MNT nodes about the Endpoints and its artifacts
• Benefits of KPM:
• Endpoints Onboarding data: Measure key performance metrics about
Endpoints, like Total, Active, Successful, Failures, Endpoints on-boarded/day
• Endpoints Transactional Load data: # radius requests at a PSN level/hr, Radius
requests to # Active EP ratio, How much of these data was persisted in the MNT
table and how many of them were suppressed to determine the suppression
ratio, what was the Avg and Max load on the PSN during that hour, what was the
latency and Avg TPS.
CLI added in ISE 1.4
Key Performance Metrics (KPM) Admin UI Reports
# application configure ise (Options 12 and 13) added in ISE 2.2
• Generate performance metrics:

For Your
• Endpoints Onboarding Reference
• Endpoints Transactional Load
• Saves to local disk

• Can copy to repository for viewing
• Reports are suffixed with date Options 12

parameter and 13
• If run in same day, will overwrite
• Can be resource intensive on

CPU/Memory, so advised to run
during non-peak hours
KPM Attributes For Your
Reference
• KPM OnBoarding Results: • KPM Trx Load (cont)
• Total Endpoints : Total number of endpoints in the • Radius Requests : Number of Radius requests sent by the
deployment PSNs for that hour.
• Successful Endpoints : How many of them were on boarded • RR_AEP_ratio : Ratio of Radius Requests to the number of
successfully Active endpoints on an hourly basis. This will give the
number of radius request an Active EP makes on an
• Failed Endpoints : How many failed to on board
average.
• New EP/day : New endpoints seen in the deployment for a
• Logged_to_MNT/hr : Number of Radius Request persisted
given day
in the DB
• Total Onboarded/day : Total endpoints on-boarded for a
• Noise/hr : Number of Radius Request suppressed, only the
given day
counter increases but the data is not persisted in the DB.
• KPM Trx Load • Supression_hr % : % of suppression

• Avg_Load (avg) : Average load of the PSNs during that
• Timestamp: Date/Time, This is an hourly window,
hourly window
extrapolated from the syslogs sent by the PSNs
• Max Load (avg): Max load of the PSNs during that hourly
• PSN name : Hostname of the PSN sending syslogs to the
window
MNT collector
• Latency_per_request: Latency per radius request (average)
• Total Endpoints: Total number of endpoints in the
deployment • Avg TPS : Average number of transactions per second on
that PSN.
• Active Endpoints: Active number of endpoints in the
deployment for that hour.
Raw Sample of KPM Stats Output For Your
Reference
• KPM_TRX_LOAD_<DATE>.xls
• KPM_ONBOARDING_RESULTS_<DATE>.xls
Key Performance Metrics (KPM)
KPM Reports added in ISE 2.2: Operations > Reports > Diagnostics > KPM
Also available from CLI (# application configure ise)
Provide RADIUS Load, Latency, and Suppression Stats
Serviceability Counter Framework For Your
Reference
Overview
• Counter Framework (CF) is a library to periodically collect different ISE attributes.
• Modules like profiler, network access, etc configured few critical attributes in CF.
• CF periodically collects all these attributes in each node and persists in MnT via syslog.
• “ISE Counters” report (Operations → Reports → Diagnostics) lists the attribute values per node.
• All counter attributes are enabled by default. To disable/enable use “application configure ise” admin
command with option number 14 ([14]Enable/Disable Counter Attribute Collection).
• Support bundle of MnT node (if “Include monitoring and reporting logs” is checked) will have the
counter attribute database table dump in csv format.
• Similar to admin “show cpu usage” command, cpu usage are displayed in “Health Summary” report
(Operations → Reports → Diagnostics).
Displaying Profiler Statistics
The Hard Way
6 <Enter>
Create an RMI connector client and connect it to the RMI connector server
Get an MBeanServerConnectionRetrieve MXBean
Press <Enter> to continue...

Timestamp,Elapsed,EHQDroppedEvents,LocalEndPointReads,EndpointsOwnerChanged,ProbeDummyEndpointsDetected,ProbeSnmpQueryEnd
pointsDetected,RadiusPacketsReceived,CoAHandledEvents,RemoteUpdateAverted,ProbeDhcpEndpointsDetected,IosSensorDhcpDetected,Http
PacketsNonAdjacentDropped,NACReSyncNotify,EndpointsDropped,RemoteUpdate,ProbeNmapSnmpQueryTriggered,HttpPacketsAdjacent,IosS
ensorCdpDetected,EndpointsProfiled,HttpPacketsReceived,EndpointsReProfiled,FeedPolicyCreate,DhcpSkipProfiling,EndpointsUpdated,ProbeR
adiusEndpointsDetected,IosSensorMdnsDetected,ProbeDnsEndpointLookupAvert,ProfilerCacheMisses,ProbeSnmpTrapEndpointsDetected,ARP
Save,IosSensorH323Detected,ARPUpdate,CoADroppedEvents,ARPMiss,ProbeDnsEndpointsDetected,ProbeNetflowEndpointsDetected,ProbeS
panEndpointsDetected,ARPHit,EndpointsRetrievedFromOwner,IosSensorLldpDetected,ARPRetrieve,EndpointsSaved,ProfilerCacheHits,FeedPol
icyUpdate,SnmpTrapsReceived,IosSensorHttpDetected,FeedEndpointsReProfiled,RemoteSave,SnmpQueriesPerformed,NACEndpointNotify,End
pointsDeleted,IosSensorMDMDetected,DhcpPacketsReceived,NmapSubnetScanEndpointsDiscovered,ProbeHttpEndpointsDetected,ProbeDnsE
ndpointLookup,EndpointsCached,IosSensorSipDetected,NetflowPacketsReceived,ProbeNmapScannedEndpoints,EndpointsDetected
1493585875206,1000,0,193,0,0,0,18,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,22,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8
1493585876233,2027,0,193,0,0,0,18,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,22,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8
1493585877258,3052,0,193,0,0,0,18,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,22,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8
1493585878288,4082,0,193,0,0,0,18,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,22,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8
#CLMEL
1493585879325,5119,0,193,0,0,0,18,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,22,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8
Serviceability Counter Framework (CF)
The Easy Way: MnT auto-collects key metrics from each node!
• Enable/disable from
‘app configure ise’
Node specific report
• Enabled by default
• Threshold are hard
set by platform size
• Alarm sent when Thresholds
exceed threshold
• Running count
displayed per
collection interval
Detected
#CLMEL BRKSEC-3432
platform size
Disable/Enable Counter Attribute Collection For Your
Reference
ISE Counters Example:
5-Minute and > 5-Minute Collection Results Endpoint Ownership
Changes per interval
(20 min for this metric;
threshold = 5k events)
Example:
Delta in this interval =
6 ownership changes
Note: Counters are (over 20 minutes)
cumulative so need to take
deltas to determine events
per interval
show cpu CLI and in Health Summary Report
For Your
Reference
Summary of Reports Enhancements in ISE 2.2
For Your
Reference
Revamp of the Report framework

Changed the flex pages to html pages
(Technology used – HTML, JS, Backbone, Bootstrap for frontend)
Merged Saved report and Favorite report to one bucket ‘My Report’
Local csv export limit has been increased to 5000 records
Local pdf export limit is 1000 records.
Summary of Reports Enhancements in ISE 2.2
Continued For Your
Reference
• Clicking on the report will generate the the report for last 7 days.
• In multi section report (e.g. -Authentication Summary)the pagination is
supported at each and every grid section(e.g – Authentications by Failure
reason) i.e navigation to next set of records for each section can be done
individually.
• Added Custom time range filter and Advance filter in all the reports
• Regex can be used for server, identity and mac address column. The supported
regex are :- (*abc -> ends with, abc* -> starts with and abc* or *abc -> ‘OR’
condition)
• Scheduled and saved reports will save the details of definition
ISE Scalability and High Availability For Your
Reference
Summary Review
• Appliance selection and persona allocation impacts deployment size.
• VM appliances need to be configured per physical appliance sizing specs.
• Profiling scalability tied to DB replication—deploy node groups and optimize PSN collection.
• Leverage noise suppression to increase auth capacity and reduce storage reqs.
• ISE enhances scalability with multi-AD and auto-device registration & purge.
• Admin, MnT, and pxGrid based on a Primary to Secondary node failover.
• Load balancers can offer higher scaling and redundancy for PSN clusters.
• Non-LB options include “smart” DNS, AnyCast, multiple RADIUS server definitions in the access
devices, and IOS RADIUS LB.
• Special consideration must be given to NAD fallback and recovery options when no RADIUS servers
are available including Critical Auth VLANs for data and voice.
• IBNS 2.0 and EEM offer advanced local intelligence in failover scenarios.
Closing Comments
Session Agenda
Monitoring Load and System Health You Are Here

TACACS+ Design and

Profiling, TACACS+


Sizing Deployments
Key Takeaway Points
• CHECK ISE Virtual Appliances for proper resources and platform detection!
• Avoid excessive auth activity through proper NAD / supplicant tuning and Log
Suppression
• Minimize data replication by implementing node groups and profiling best
practices
• Leverage load balancers for scale, high availability, and simplifying network
config changes
• Be sure to have a local fallback plan on you network access devices
Cisco Community Page on Sizing and Scalability
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148
ISE Performance & Scale Resources
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148
• Cisco Live:
BRKSEC-3432
Reference version
• ISE Load Balancing Design
Guide
• Performance and Scale
guidance in HLD template
• Calculators for Bandwidth
and Logging
For Your
Reference
• Cisco Communities
documents/ise-load-balancing/ta-p/3648759
Includes Sample Working Configs, Videos, and update
notes on LB Guide.
• Cisco and F5 Deployment Guide: ISE Load

Balancing using BIG-IP:
documents/how-to-cisco-amp-f5-deployment-guide-ise-
load-balancing-using/ta-p/3631159
• Linked from F5 website under Cisco
Alliance page > White Papers:
https://f5.com/solutions/technology-alliances/cisco
For Your
Recommended Reading Reference
• http://www.ciscopress.com/store/cisc
o-ise-for-byod-and-secure-unified-
access-9781587144738
• http://amzn.com/1587144735
For Your
Reference
Additional Resources
Public Resources
ISE Public Community http://cs.co/ise-community

ISE Compatibility Guides http://cs.co/ise-compatibility
ISE Ecosystem Guides http://cs.co/ise-guides
ISE Guest http://cs.co/ise-guest
ISE Feedback http://cs.co/ise-feedback
ISE Resources http://cs.co/ise-resources
ISE Software & Eval http://cs.co/ise-eval
For Your
Reference
Public Resources
ISE Licensing & Ordering http://cs.co/ise-license

ISE Training http://cs.co/ise-training
ISE Portal Builder http://isepb.cisco.com
Trustsec Compatibility http://cs.co/trustsec-compatibility
Trustsec Resources http://cs.co/trustsec-resources
For Your
Reference
Sales Resources (Cisco & Partners)
Selling ISE @ Training http://cs.co/selling-ise-training

Selling ISE Demos http://cs.co/selling-ise-demos
ISE Instant Demo http://cs.co/ise-instant-demo
ISE Proof Of Value Kit http://cs.co/ise-pov
ISE Bill Of Materials Tool http://ise-bom.cisco.com
How to Find ISE
Customer References
ISE Endpoint Analysis Tool
http://iseeat.cisco.com
ISE Portal Builder
http://isepb.cisco.com
ISE Bill Of Materials Tool
http://ise-bom.cisco.com
ISE 2.6 Update
IPv6 for ISE Management
• More and more customers start using IPv6 in their
network. ISE already support RADIUS and
DNS, NTP, Portal / UI, TACACAS+, but its not enough.
Syslog & admin access
other services How do we solve it?
• This is the 3rd phase of IPv6 support (after TACACS+
and RADIUS). ISE 2.6 allows managing ISE over IPv6
network. This includes: ISE UI, NTP, DNS, Active
Directory, Syslog, Audit Logs and Reports, ERS,
SNMP, External Repositories and IPv6 Based ACLs,
DACLs and SGACLs.
RADIUS, Active Directory
TACACS+ and, transactions Prerequisites
ACLs, DACLs
• IPv6 network
Authenticate REST Calls Against AD

• Customers who programmatically configure ISE
REST: External using REST APIs must use internal users in order to
Auth Lookup authenticate the session.
How do we solve it?
Success Success
App
• ISE 2.6 can authenticate REST calls against Active
ISE Active Directory
Directory external Identity store.
Enterprise Network Prerequisites

• None.
Authenticate CLI Admin Against AD

• Customers who need to maintain a single source of
External truth of passwords don’t want to use ISE internal DB
Lookup to store the ISE’s admin passwords .
How do we solve it?
Success Success
• ISE 2.6 can authenticate CLI access against Active
ISE Admin ISE Active Directory
Directory external Identity store.
Enterprise Network Prerequisites

• None.
Anyconnect UDID as key (compliance)
Unique Device Identifier (UDID) What are we solving?
• Open seating environments with docking stations or
UDID MAC Address(s) Compliance shared ethernet dongles for Windows/MAC OSX
01669b65...05ee93
pose a challenge because the same MAC address is
00:1a:00:1a:11:11
00:1a:00:1a:22:22 used by different machines. Random MAC addresses
in Windows10. Not a unique ID. How do we solve
it?
• ISE can now perform authorization for managed
end-points regardless to their MAC address, even
when MAC address is not persistent.
Prerequisites
• ISE 2.6, Windows/MacOSx, AnyConnect 4.7
00:1A:00:1A:11:11 00:1A:00:1A:22:22
• Complaint MDM (JAMF/SCCM)
MAC address is not always a reliable identifier yet is used as the common identifier for external systems such as SCCM and JAMF
Increased grace period flexibility – Phase 1
• Employee goes on 2 week holiday. When the
employee returns, they may not be on-line for very
Updates are needed on your long due to things such as customer appointments.
computer before you can An employee may not have their system updated to
join the network the current patch level for much longer than just the
time on holiday given cycle times measured in days
for systems such as JAMF & SCCM
How do we solve it?
• Increased grace period flexibility provides two
customizable end-user warning notification time
periods & a customizable message
Prerequisites
• ISE 2.6, AnyConnect 4.7
Improved AnyConnect User Interface –Phase 1
OLD: NEW: AnyConnect 4.7
Reports to verify TrustSec Deployment
• After TrustSec Policy change and deploying it there
is no way to know if all TrustSec enabled network
devices have successfully downloaded latest policy
How do we solve it?
• A new report that shows the status of the TrustSec
Deployment
Prerequisites
• None
Please fill out the survey
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power Bank
after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at:
https://ciscolive.cisco.com/on-demand-library/
Continue
your Cisco
Demos in
Labs Meet The
Expert
Related
sessions
education the World
of
Solutions
Thank you
#CLMEL
#CLMEL

Brksec 3432 PDF

Uploaded by

Copyright:

Available Formats

Brksec 3432 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3432 PDF

Uploaded by

Copyright:

Available Formats

#CLMEL

Jason Kunst @nacbot

following individuals Technical Marketing Engineer Technical Marketing Engineer

…& the entire Cisco SPA Team

Look for this “For Your Reference” Symbol

~600 +/- Slides in

Supplicant for wired, wireless

Role-based Access Control | Guest Access | BYOD | Secure Access

CISCO IDENTITY SERVICES ENGINE

Non-Trusted App / Services

Software-Defined Segmentation, Location-Free App/Service

A centralized security solution that automates context-aware access to

Physical Identity Profiling Role-Based Policy Access Network Resources

Network What Guest Access

Endpoints supported per Policy Services Node 10,000 50,000 100,000

Cores per Processor 8 12 12

Memory 32GB 96GB 256GB

Hardware RAID No Level 10 Level 10

Power Supplies 1 x 770W 2 X 770W 2 X 770W

MnT (Optimize Logging

TACACS+ Design and

ISE Design Monitoring Load and

Scaling ISE Services

Platforms ISE Appliance

Policy Administration Node (PAN)

Single Node (Virtual / Appliance) Multiple Nodes (Virtual / Appliance)

• Interface to configure and view PAN

• Each ISE deployment must have at least

• Per policy decision, responsible for: • Directly communicates to external

• Changes made via Primary PAN DB are automatically synced to

Policy Change Policy Sync

• Major Secure Access component that enforces network policies.

• Basic NAD types (including 3rd party)

• Enabled as pxGrid persona

• Authorize and setup pxGrid

• Single ISE node (Appliance or VM) can run

Validate NAD configuration Capture traffic destined for ISE

▪ Policy Administration Node (PAN)

▪ Policy Service Node (PSN)

NAD MnT PSN PAN PXG

PAN PSN NAD

PSN Queries AD Directly

• Maximum sessions – Platform dependent

Policy Service Node

ISE Node ISE Node

Admin (P) Admin (S) PSN

• All Services run on both ISE Nodes

• Max sessions – Platform dependent

Admin (P) Monitor (P) Policy Services Cluster Distributed Policy

Policy Services Cluster

(2) SNS-3515 (2) SNS-3595

0 7,500 20,000 40,000 200,000 500,000

(2) SNS-3615 (2) SNS-3655 (2) SNS-3695

0 10,000 25,000 50,000 100,000 500,000 2,000,000

PAN (P) PAN (S)

MnT (S) MnT (S)

PSN PSN PSN PSN

PAN (P) PAN (S)

MnT (S) MnT (S)