Cisco ISE & Nodes

Cisco ISE & Nodes ( PAN/MnT/PSN)

Today we are going to talk about the nodes in Cisco ISE Environment. A Cisco Identity Services Engine (ISE) enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations by integrating identity and access control policies across their infrastructures

Generally ISE deployment is with 

  • 1 x PAN/MnT Nodes
  • 2 x PSN Nodes
  • 1 x pxGrid
Fig 1.1- Cisco ISE & Nodes

Primary Admin Nodes (PAN)
In order to ensure that the ISE deployment is functional, an administrator performs a lot of configuration and operation work using the administration node/persona commonly referred to as the Primary Administration Node (PAN).The ISE control center is used to manage the entire deployment.

Each Data Center will have one PAN; this is the maximum number of PANs per a cluster deployment (Primary and Secondary).Nodes will be virtualized with dedicated, and reserved resources will be available in a VMware farm.

The High Availability mode indicates that the Primary Administration node is in a state of active operation and only during this time can changes be made to its configuration. On the other hand, the backup Administration node will be in standby mode receiving all updates from the primary Administration node.

Monitoring & Troubleshooting (MnT) Nodes
Logging and reports are generated by the Monitoring and Troubleshooting (MnT) persona; this node will be the log collector, storing messages from all the administration and policy service nodes of the network.

As part of their responsibilities, they provide advance monitoring and troubleshooting tools that are used to manage and troubleshoot when investigation is desired. One of their responsibilities is the aggregation and correlation of the data that they collect to ensure that meaningful reports are generated.

The number of nodes in high availability mode is limited to two, with either node in a primary or secondary role. Whichever mode is selected, both primary and secondary MnT collect log messages from the PSNs. 

Monitoring nodes can fall over when the primary node fails. During this time, the secondary will provide read-only capabilities until the primary is brought back online, or it may be promoted to the primary role. 

Policy Services Nodes (PSN)
Policy service nodes (PSNs) are responsible for enforcing access policies; they are the nodes on which all policy decisions are made. A node assigned to this role evaluates policies, makes all decisions for access control, posture, guest access, client provisioning, and profiling. 

A distributed deployment should have more than one Policy Server node to provide redundancy. Once the Policy Servers reside behind a load balancer, they can be grouped into a node group.

By reserving less significant attributes for their own group, node group members reduce the amount of information that is replicated to remote nodes in the network, and peer group members check whether their peers are available.

When a member of the group fails, it attempts to recover all URL-redirected sessions that are associated with that node.

After the Policy Service Nodes join a node group, they exchange heartbeats to detect node failures. In the event of a failure, another node within the group will learn about the active sessions on the failed node, and issue a CoA to disconnect the failed node.