Cisco ISE Deployment Notes

As with any deployment, having a good design in place is the foundation of achieving a successful deployment. In this blog I will be putting together a few notes to keep in mind when designing and deploying Cisco ISE appliance.


Whilst communication is not strictly part of the actual design, it is nonetheless an important area to address. Deploying access controls in any network is a risky business indeed. Why? Well … access control here should be a good clue!

Furthermore, prior to even starting the design, you must fully understand what the requirements are and communicate the limitation within those requirements. In this process, using the existing security policy could be a very good starting point – so ask for one.

Make sure the business and non-business stakeholders are on-board with the proposed changes and attached risks. This should include network admins, system admins, users, project managers, directors, etc. – basically all of those that may be impacted positively or negatively by the proposed changes.

Keep in mind that often you will need their support too – including technical. For instance, you many need to engage with the team managing the Active Directory domain in order to push a specific group policy to support the RADIUS/dot1x deployment.

At all times, document not only your findings but also encourage for documentation to be kept up to date. Part of the documentation process should also include a troubleshooting guide which will later be handed over to the Helpdesk team.

It is a good idea to document problems and solutions you may encounter throughout the deployment. This will be valuable information to include in the tshooting guide!


Understanding the existing network environment should in fact be part of the communication process.

Additionally, Cisco ISE provides a few tools out of the box (or in the box – should I rather say) to aid in profiling the network. To find these, navigate to Administration -> Deployment -> (NODE) -> Profiling Configuration (TAB) in the web GUI:

Here we find a few sources for profiling our network:

  • Netflow
  • HTTP
  • DNS
  • DHCP
  • SNMP
  • NMAP
  • Active Directory

  1. Using the probes above will in most cases require additional configuration on your network devices too; not just on the ISE appliance. For example, profiling via SNMP will require your network devices to be configured for SNMP; profiling via DHCP will in most cases require helper-addresses to be configured – if not already, etc.
  2. Furthermore, these probes must be enabled on the PSN – the Policy Service Nodes

Once enabled, providing the relevant policies have also been setup, ISE will either send probes out or listen on specific local interfaces for the respective protocol packets, as configured.  Alternatively, we could also configure the local sensors on the network devices to automatically send information to ISE nodes.

We could use either one or the other, or both approaches above depending on the level of granularity required. Keep in mind though that enabling all probes could generate a lot of useless or duplicate information which, in a large environment could indeed cause performance issues. I found this blog post a good source for further details; for more details, check Configuring Endpoint Profiling Policies.

Once your profiling is complete, make sure you come to understand potential compatibility issues you may encounter as not all features are available across all vendors. Rather than me giving you a link, just Google for Cisco ISE compatibility matrix and you should be able to find what you need.

By the end of this process you should really be in a good place in making more technical decisions such as:

  • Actions required prior to initiating the deployment – upgrades, decommissions, technical debt, etc.
  • What deployment model to use – Standalone vs. Distributed
  • Propose virtual vs. physical appliance deployment
  • Licensing requirements
  • High availability requirements
  • Passive (uses ISE PIC) vs. Active (agentless) identity sources for authentication
  • Network segmentation requirements – VLAN based, SGT based or both


Licensing comes in different packages which are summarised below:

  • Evaluation Licensing – 90 days
  • Base Licensing – perpetual
  • Plus Licensing – 1, 3, 5 years subscription
  • Apex Licensing – perpetual
  • Device Administration – perpetual
  • IPSec – perpetual

For more detailed information, including enabled features with each licensing package, check the Ordering Guide which is dated March 2019.


Roles (Personas)

  • PAN – Policy Administration Node
    • provides management functions for the ISE environment
    • Up to two nodes in active/passive
  • MnT – Monitoring Node
    • provides log collection & advanced monitoring and troubleshooting tools
    • Up to two nodes in active/passive
  • PSN – Policy Service Node
    • Policy nodes host all the policy sets; they also enable policy replication to other PSNs
    • PSNs stand at the core of policy enforcement using RADIUS, TACACS, TrustSec
    • Up to fifty nodes can be deployed in active/active mode
  • PXGRID – Platform Exchange Grid
    • provides integration with third party security systems
    • IETF standard
    • here is a 2 minutes overview

Deployment model

  • Standalone
    • all roles enabled on a single node
    • no HA nor Redundancy
  • Distributed
    • Different grades of HA can be achieved
    • High level overview is provided here
    • Consider WAN links redundancy
    • Consider latency between sites
    • Consider Active Directory (roles) design
    • Consider license & budget
    • Consider SLA


  • Assume 3 devices per user + IP phones
  • Consider peak times usage
  • Include Printers, IoT devices, Wireless access points
  • Bandwidth requirements – as of ISE v2.4 – 300 ms network latency is a maximum acceptable
  • VM only, Physical only or combination of VM and Physical deployment are all supported
  • Maximums change across released versions (more details can be found here)


  • ISE nodes behind load-balancers is a supported setup
  • Provide on-site (local) ISE
  • Avoid standalone deployments
  • The ISE virtual machine appliance is very, very temperamental to virtual hardware resources changes. Once deployed, leave it alone!
  • Standardise your switch configuration
  • Heavy TACACS accounting could cause a negative performance impact; maybe consider a dedicated ISE deployment for TACACS only
  • Aim for minimum latency across WAN links; 300 ms is acceptable but not ideal!
  • Enable ISE services progressively through the enterprise
  • Make use of monitoring mode when designing policy sets

In conclusion to this blog I’d like to leave you with two documents which you can use as templates in your documentation.

Troubles Shooting Guide | as-build


Thank you,

Rafael A. Couto Cabral • LinkedIn Profile
Cisco​ | F5 | VMware Certified • PRINCE2 Practitioner

Originally posted 2019-07-27 00:39:45.

Related Post

Comments are closed.