As a point of reference, if you are cloud-based and have deployed Microsoft’s AADDS (Azure Active Directory Domain Services), the architecture model for that service puts a LB in front of the DCs to assist with service scale out, including replica sets across geographic regions.
One could accomplish this within each individual service, but as the number of services increases, there is a point where hiding that complexity behind a LB makes the management a bit easier including DR/business continuity. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Manon Lessard Sent: Tuesday, August 03, 2021 8:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] can Active Directory backend for ISE be tested before adding all wireless auth? Spurgeon We tend to load balance a whole bunch of things, but I would really be concerned about load balancing AD servers because the VS would itself add some latency. Not saying it wouldn’t work, just my own experience. I would rather rely on dedicating AD servers to some “site” and use the “site” as a way to establish a pecking order. So the stuff that’s crucial (ex: Auth) would be tied to a “critical” site, and thus be served first. Also, I would strongly suggest that the groups which are whitelisted and added are not too large. They are only what the ISE server has to use to lookup users. With ISE the AD connector can deal with not being everywhere, make good use of it. ACS 5 didn’t have that capability and thus was real slow, esp. since it had to browse the whole thing. And remember, ad_agent.log is your friend, if it whines, there’s a problem. Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Spurgeon, Charles E" <c.spurg...@austin.utexas.edu<mailto:c.spurg...@austin.utexas.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Tuesday, August 3, 2021 at 11:41 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] can Active Directory backend for ISE be tested before adding all wireless auth? I have no answer for dev testing of AD performance. However, I do have some links to Cisco info on ISE scaling and deployment that I saved for future ref. Here they are in case they may be of use: 1. “2019 How Cisco Deployed ISE” https://www.ciscolive.com/global/on-demand-library.html?search=dgtl-brkcoc%20ise&search=dgtl-brkcoc+ise#/session/1573153539632001Je9Y<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ciscolive.com%2Fglobal%2Fon-demand-library.html%3Fsearch%3Ddgtl-brkcoc%2520ise%26search%3Ddgtl-brkcoc%2Bise%23%2Fsession%2F1573153539632001Je9Y&data=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7C2509c8c5966844daa50308d956952692%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637636020861798598%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I7dKiPqW%2BGvp2Txw61qGv2bZB0Ao%2BTgGdTxRqr3CnmU%3D&reserved=0> 2. 2018 – “Designing ISE for Scale and High Availability” https://www.ciscolive.com/global/on-demand-library.html?search=dgtl-brkcoc%20ise&search=dgtl-brkcoc+ise#/session/1500302030233001WuLd<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ciscolive.com%2Fglobal%2Fon-demand-library.html%3Fsearch%3Ddgtl-brkcoc%2520ise%26search%3Ddgtl-brkcoc%2Bise%23%2Fsession%2F1500302030233001WuLd&data=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7C2509c8c5966844daa50308d956952692%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637636020861798598%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YKk08o0gYMqDBj0V5nWpigOv0D9ocp8LdzGpTJRD%2FgQ%3D&reserved=0> 3. “ISE Peformance and Scale” community doc with current updates: https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.cisco.com%2Ft5%2Fsecurity-documents%2Fise-performance-amp-scale%2Fta-p%2F3642148&data=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7C2509c8c5966844daa50308d956952692%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637636020861808552%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4Oox0mj%2FaNaSs8pardKqLmiEy%2Bxjuw7yOOsF%2BsP8dnI%3D&reserved=0> FWIW, I recall hearing somewhere (probably a CiscoLive Online preso) that the ISE-AD config on the Cisco enterprise network used multiple secondary AD servers behind a load balancer (IIRC) to avoid direct connections between ISE and primary AD servers since the primary servers could get busy or hung and freeze up ISE (so to speak). That’s second hand info from memory, so you would definitely want to verify that with Cisco. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Joseph Bernard Sent: Tuesday, August 3, 2021 9:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] can Active Directory backend for ISE be tested before adding all wireless auth? So we are running ISE which is backended by Active Directory. We have been adding sections of campus to wireless authentication of eduroam and things seemed fine with no issues that we could see. When we finally added the last bit of our environment on Friday, this were going great but then Monday happened and all hell broke loose and authentication went in the toilet. It seemed that ISE couldn’t get answers from AD fast enough and switched to our DR site which made things WAY worse and we had to move all our stuff back to our previous platform. Since that incident, we have tweaked all the settings we can find from minimizing DNS lookups to hiding the DR site from ISE. AD is kind of a black box, so there is only so much we see or find documentation for. My question is, is there a way to test if our AD backend if strong enough to handle our campus of 20,000 wireless devices moving around during a class change without putting it in production first and crossing our fingers? Thanks, Joseph Bernard This message is from an external sender. Learn more about why this matters.<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fut.service-now.com%2Fsp%3Fid%3Dkb_article%26number%3DKB0011401&data=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7C2509c8c5966844daa50308d956952692%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637636020861808552%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YoMBI0GhwpGdjM1MDexQhhSXWBrA%2FXWo006eqCxUdUQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7C2509c8c5966844daa50308d956952692%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637636020861818504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F4rR3r16rv5yT4RU0R5BKrQDC61VJxvyiJVbhsMfa7s%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7C2509c8c5966844daa50308d956952692%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637636020861818504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F4rR3r16rv5yT4RU0R5BKrQDC61VJxvyiJVbhsMfa7s%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community