The Many Personalities of Cisco ISE

This Engineer is Clearly a Policy Service Node Type!

Are you someone that would be described pretty consistently by those that know you? Is your personality serious or silly?

Well. we need to be careful when describing the Cisco Identity Services Engine (ISE) because depending on how we performed the deployment, the ISE may be very different from what we normally might expect!

Let’s set the stage here…we can deploy the ISE in a standalone fashion, or we can deploy many ISE systems working together. As you might guess, many ISE systems working together is exactly what you might find if you are doing this deployment in a huge Enterprise environment. Cisco has a fun name for the enterprise that has many ISE systems working to provide the services we need – it is called an ISE cube! How fun is that!

So if you deploy a single ISE system in a relatively small Enterprise, clearly the single ISE is taking on many of its roles and functions for you all within the same device. But when we deploy many ISE, Cisco enables us to specify the persona of each of these. This is a great feature! Think about it, not only can you share the workloads and tasks that must be performed among the multiple systems, but certain systems can really be tuned and focused on certain of the ISE responsibilities. This is scalability in its finest form!

So what are the personas that are available to use? I was hoping you would ask!

The Administration Persona

Yes – you are not surprised to learn about this one. This is what we tend to think of when we think about being responsible for an ISE deployment. This critical persona allows you to perform all the administrative operations on Cisco ISE. It handles all system-related configurations and configurations that are related to functionality such as authentication, authorization, auditing, and so on.

If you are building a distributed deployment in a large enterprise (instead of a standalone deployment), then you might think about two of these personas for installation. Why two? Well high availability of course. When you do this, you will have a Primary Administration Node (PAN) and a standby node for high availability.

NOTE: You are only permitted to have two administration personas in your ISE cube!

The Policy Service Persona

This persona provides network access, posture, guest access, client provisioning, and profiling services. This is the real workhorse persona of the ISE system. Think about it – it is making all of the key policy decisions as your users are trying to log in and access and manipulate the resources of your network.

You must have at least one of these personas in your distributed environment, and you can add as many as you need to scale the operation. In fact, a common scenario is to have multiple Policy Service Nodes (PSNs) in your ISE cube and have them all behind a load balancer that is distributing the traffic among the nodes.

Is there a maximum number of these nodes that we can add? Yes – and with ISE 3.X, this max number is 50. Wow, I would love to see the complexity and size of the ISE deployment that would require 50 of these units!

The Monitoring Persona

Yes, you probably could have guessed that this would be one of the personas! What is surprising about this persona (responsible for monitoring and auditing actions in the network) is the fact that you can only have a maximum of two of them. Like the Administration persona, here you can configure a Primary and Standby unit for high availability (HA) if you desire.

The pxGrid Persona

This persona is all about sharing key security data and information with other security products from Cisco and other vendors. You might want to take your Cisco TrustSec tags and make another Cisco or Cisco partner security system aware of these IP to Security Group Tag bindings. The pxGrid persona comes to the rescue in this case.

It is not surprising to learn that the pxGrid persona relies on a functioning Administration node. If your PAN goes down, then your pxGrid functionality is on-hold (most of it) until you replace the PAN with a new unit. Note that this is typically just a case where we need to promote the standby Admin node to the new PAN role.

Conclusion

As you can clearly see – it is important to understand these various personas and the possibilities BEFORE you install your first ISE node! Planning is very important here. While this article described a small and large deployment, what about a medium-sized deployment? Well, Cisco provides and example of this in their excellent design guides and the example that they give is of two Administration nodes and three Service Policy nodes. This certainly makes sense! You have the HA you would want on Administration, and you have scalability on the workhorse function of policy decisions.

Thanks for reading and I look forward to your comments below! If you would like to take your knowledge and expertise of the Cisco ISE even further – be sure to gran an appropriate subscription option and jump in the latest ISE 3 training here at lammle.com!

Leave a Reply

Your email address will not be published.