CORRECT IS A
https://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2
If a PSN goes down and orphans a URL-redirected session, one of the other PSNs in the node group sends a Change of Authorization (CoA) to the NAD so that the endpoint can restart the session establishment with a new PSN.
Node group doesnt give redundancy for dot1x or mab sessions.
However, it is imperative to configure all PSN servers in the NAD list to ensure that all sessions have redundancy in terms of authentication
My answer is D
Answer is A. Since question about ISE PSN deployment redundancy so answer is A. If question from End user side, then redundancy can achieve by utilizing Radius server list on NAD device.
STUPID Question. It's D
A is not the answer because it talkes about redundancy and not e.g. CoA. I can still have redundancy weather it's "statefull" or "stateless". If i have a nodegroup and the Switch only points to 1 PSN node, i have ZERO redundancy. Therefor i need the reduncance configured on the NAD to utilize ALL the PSN nodes.
Node Groups
When two or more Policy Service Nodes (PSNs) are connected in an ISE deployment, it is recommended that they be placed in a node group. This design optimizes the replication of endpoint profiling data by retaining less significant attributes local to the group and reducing the information that is replicated to the remote nodes in the network.
The correct one is D.
When you configure a switch for example you configure the radius server list that the switch is going to use.
Those radius servers are the PSNs nodes when a node goes down the NAD device will use the other nodes configured on the server list.
Ok, onestly i was thinking about it, the answer could be A instead, here they are talking about the PSNs not about the NAD devices, so the redudancy that the question is mentioning is between the PSNs nodes. An ISE node group can be done when you have more PSNs in your building and both of them are in the same group.
D
If there is a failure of the Policy Services persona (and,
therefore, RADIUS processing) or a failure of a single
appliance, the NAD detects the failure of the RADIUS service
on one of the PSNs and directs 100% of future RADIUS
queries from that NAD to the remaining PSN. The
availability, failover, and recovery detection criteria of the
RADIUS service are configured on the NAD.
Official Guide
A is correct. The question ask for redundancy in "deployment" not in configuration so D is not the right choice. Additionally, utilizing RADIUS server list on NAD make redundancy for authentication, the attributes also share between group nodes. When a member of a node group learns endpoint attributes (through profiling), it is able
to send the information directly to the other members of the node group.
D is the correct answer. Node groups are optional and they enhance the profiler service mostly. The redundancy of PSN availability is dictated by the Radius Server list order on the NAD. also see this https://community.cisco.com/t5/network-access-control/ise-node-groups/td-p/3514849
See 300-715 Official Cert Guide, pg 748
ISE has a concept of Node Goup. A Node Group is made up of PSN, where the PSNs maintain a heartbeat with each other.... when a member of a node group leaens endpoint attributes (through profiling) , it is able to send the information directly to the other members of the node group.
Would it actually be a combination of B and D or does the wording of D (radius list instead of radius group) make that answer incorrect? I say B because the question asks about the deployment and not the NADs added to the deployment. If you only deploy 1 standalone node, there is no redundancy, so at a minimum you would need 2 nodes. So regardless of any other answer B is true. Both servers can "optionally" be added to a "AAA server group" (aaa group server radius NAME) that makes it possible to config the servers in a deterministic order. 1st server listed will be used first. Second server listed will be used when server 1 is dead. That would make D seem true, but again the wording of D is sketchy and the question asks about the deployment and not the NAD configuration.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html
– Policy Service—Provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assume this persona. Typically, there would be more than one Policy Service ISE node in a distributed deployment. All Policy Service ISE nodes that reside behind a load balancer share a common multicast address and can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes detect the failure and reset any pending sessions.
so after all comments i want to ask a question, if i configure two SPNs in a switch without creating a list radius group for them do i have redundancy availability ?
Yes and no.
As redundant PSNs are behind loadbalancer, you configure vIP address in the radius server list on the NAD. However, LB can also fail and even though PSNs remain alive, NAD won't be able to reach them via LB. That's why Cisco recommends using radius server list on the NAD also with LB - to have 2 PSN groups each behind different LB (preferably in different DC).
SISE ebook:
“NADs have some built-in capabilities to detect when the configured RADIUS server is dead and to automatically fail over to the next RADIUS server configured. When using a load balancer, the RADIUS server IP address is actually the VIP address. So, if the entire VIP address is unreachable (for example, if the load balancer has died), the NAD should quickly fail over to the next RADIUS server in the list. That defined RADIUS server could be another VIP address in a second data center or another backup RADIUS server; the options are quite flexible.”
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Pipi
Highly Voted 3 years, 9 months agoPipi
3 years, 9 months agoMrCalifornia
Highly Voted 3 years, 9 months agoCiscoEnthu
Most Recent 1 week, 6 days agoMitShaLi
3 months, 1 week agoKorndal
4 months, 4 weeks agoKorndal
5 months agoed81044
5 months agommzain
11 months, 1 week agoXBfoundX
1 year, 3 months agoXBfoundX
1 year, 3 months agoYouki82
1 year, 3 months agofaridh
1 year, 5 months agomaddyr
1 year, 5 months agoTHEODORABLE
1 year, 8 months agotliz
1 year, 11 months agoNita_Mae
2 years, 1 month agoiceise
2 years, 2 months agohisho72
2 years, 4 months agoNikoTomas
10 months, 3 weeks ago