ISE Architecture

Deployment Topology

                    ┌─────────────────────────────────────────┐
                    │            ISE 3.4 (ise-01)             │
                    │      Primary PAN / MnT / PSN            │
                    │         10.50.1.20                      │
                    └─────────────────┬───────────────────────┘
                                      │
            ┌─────────────────────────┼─────────────────────────┐
            │                         │                         │
     ┌──────▼──────┐          ┌───────▼───────┐         ┌───────▼───────┐
     │  pfSense    │          │  9800-CL-WLC  │         │  SWITCH_9300  │
     │  RADIUS     │          │  RADIUS       │         │  RADIUS       │
     │  10.50.1.1  │          │  10.50.1.12   │         │  10.50.1.11   │
     └──────┬──────┘          └───────┬───────┘         └───────┬───────┘
            │                         │                         │
     ┌──────▼──────┐          ┌───────▼───────┐         ┌───────▼───────┐
     │   Wired     │          │   Wireless    │         │   Wired       │
     │   Clients   │          │   Clients     │         │   Clients     │
     └─────────────┘          └───────────────┘         └───────────────┘

Node Roles

Role	Abbreviation	Description
Policy Administration Node	PAN	Configuration, policy management, admin portal
Monitoring & Troubleshooting	MnT	Logging, reporting, live sessions, DataConnect
Policy Service Node	PSN	RADIUS authentication, authorization, profiling

Role

Abbreviation

Description

Policy Administration Node

PAN

Configuration, policy management, admin portal

Monitoring & Troubleshooting

MnT

Logging, reporting, live sessions, DataConnect

Policy Service Node

PSN

RADIUS authentication, authorization, profiling

Current Deployment

Single-node deployment with all roles on ise-01:

Pros: Simple, cost-effective for home enterprise
Cons: Single point of failure, maintenance requires downtime

Network Access Devices (NADs)

Device	IP	Type	Protocol
pfSense-FW01	10.50.1.1	Firewall/Router	RADIUS
9800-CL-WLC	10.50.1.12	Wireless Controller	RADIUS
SWITCH_9300	10.50.1.11	Access Switch	RADIUS/TACACS+

Device

Type

Protocol

pfSense-FW01

10.50.1.1

Firewall/Router

RADIUS

9800-CL-WLC

10.50.1.12

Wireless Controller

RADIUS

SWITCH_9300

10.50.1.11

Access Switch

RADIUS/TACACS+

Integration Points

Authentication Sources

Source	Type	Usage
home-dc01	Active Directory	User/computer authentication, group mapping
Internal	ISE Internal	Local accounts, guest users
Vault PKI	Certificate Authority	EAP-TLS certificate validation

Source

Type

Usage

home-dc01

Active Directory

User/computer authentication, group mapping

Internal

ISE Internal

Local accounts, guest users

Vault PKI

Certificate Authority

EAP-TLS certificate validation

External Systems

System	Integration	Purpose
Keycloak	SAML 2.0	Admin portal SSO
Vault	REST API	Certificate issuance
NAS-01	NFS	Backup repository

System

Integration

Purpose

Keycloak

SAML 2.0

Admin portal SSO

Vault

REST API

Certificate issuance

NAS-01

NFS

Backup repository

Certificate Architecture

DOMUS-ROOT-CA (Vault - offline)
└── DOMUS-ISSUING-CA (Vault pki_int)
    ├── ise-01.inside.domusdigitalis.dev (Admin + EAP)
    ├── modestus-razer (Client EAP-TLS)
    ├── modestus-aw (Client EAP-TLS)
    └── modestus-p50 (Client EAP-TLS)

See Vault PKI Cert Issuance (infra-ops) for certificate procedures.