Cisco Cisco Identity Services Engine Software
3
Release Notes for Cisco Identity Services Engine, Release 1.1
OL-25539-01
Node Types, Personas, Roles, and Services
Types of Nodes and Personas
A Cisco ISE network has only two types of nodes:
•
Cisco ISE node—An ISE node could assume any of the following three personas:
–
Administration—Allows you to perform all administrative operations on Cisco ISE. It handles
all system-related configuration and configurations related to functionality such as
authentication, authorization, auditing, and so on. In a distributed environment, you can have
only one or a maximum of two nodes running the Administration persona. The Administration
persona can take on any one of the following roles: standalone, primary, or secondary. If the
primary Administration node goes down, you have to manually promote the secondary
Administration node. There is no automatic failover for the Administration persona.
all system-related configuration and configurations related to functionality such as
authentication, authorization, auditing, and so on. In a distributed environment, you can have
only one or a maximum of two nodes running the Administration persona. The Administration
persona can take on any one of the following roles: standalone, primary, or secondary. If the
primary Administration node goes down, you have to manually promote the secondary
Administration node. There is no automatic failover for the Administration persona.
–
Policy Service—Provides network access, posture, guest access, and profiling services. This
persona evaluates the policies and makes all the decisions. You can have more than one node
assuming this persona. Typically, there would be more than one Policy Service persona in a
distributed deployment. All Policy Service personas that reside behind a load balancer share a
common multicast address and can be grouped together to form a node group. If one of the
nodes in a node group fails, the other nodes in that group process the requests of the node that
has failed, thereby providing high availability.
persona evaluates the policies and makes all the decisions. You can have more than one node
assuming this persona. Typically, there would be more than one Policy Service persona in a
distributed deployment. All Policy Service personas that reside behind a load balancer share a
common multicast address and can be grouped together to form a node group. If one of the
nodes in a node group fails, the other nodes in that group process the requests of the node that
has failed, thereby providing high availability.
Note
At least one node in your distributed setup should assume the Policy Service persona.
–
Monitoring—Enables Cisco ISE to function as the log collector and store log messages from all
the Administration and Policy Service personas on the ISE nodes in your network. This persona
provides advanced monitoring and troubleshooting tools that you can use to effectively manage
your network and resources.
the Administration and Policy Service personas on the ISE nodes in your network. This persona
provides advanced monitoring and troubleshooting tools that you can use to effectively manage
your network and resources.
A node with this persona aggregates and correlates the data that it collects to provide you with
meaningful information in the form of reports. Cisco ISE allows you to have a maximum of two
nodes with this persona that can take on primary or secondary roles for high availability. Both the
primary and secondary Monitoring personas collect log messages. In case the primary Monitoring
persona goes down, the secondary Monitoring persona automatically assumes the role of the primary
Monitoring persona.
meaningful information in the form of reports. Cisco ISE allows you to have a maximum of two
nodes with this persona that can take on primary or secondary roles for high availability. Both the
primary and secondary Monitoring personas collect log messages. In case the primary Monitoring
persona goes down, the secondary Monitoring persona automatically assumes the role of the primary
Monitoring persona.
Note
At least one node in your distributed setup should assume the Monitoring persona. It is
recommended that the Monitoring persona be on a separate, designated node for higher
performance in terms of data collection and report launching.
recommended that the Monitoring persona be on a separate, designated node for higher
performance in terms of data collection and report launching.
•
Inline Posture node—A gatekeeping node that is positioned behind network access devices such as
wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network.
Inline Posture enforces access policies after a user has been authenticated and granted access, and
handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate.
Cisco ISE allows up to 10,000 Inline Posture nodes in a deployment. You can pair two Inline Posture
nodes together for high availability as a failover pair.
wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network.
Inline Posture enforces access policies after a user has been authenticated and granted access, and
handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate.
Cisco ISE allows up to 10,000 Inline Posture nodes in a deployment. You can pair two Inline Posture
nodes together for high availability as a failover pair.
Note
An Inline Posture node is dedicated solely to that service, and cannot operate concurrently with
other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node
cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.
other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node
cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.