The first factor that determines what kind of Cisco ISE deployment is recommended for your infrastructure is to look at how many sessions of radius are needed in your environment. In other words determine the number of active and concurrent sessions. To calculate this number, the starting point is to determine if wired and wireless connections are concerned.
1-Calculate the number of ports on your access switches, let’s say 300 switches with 48 ports, you get 14400 number.
2-Calculate the total number of users connectiong through wireless and you multiply by two to allow users to use two mobile devices. for example 10000 users x 2 = 20000
3-Calculate the number of guest users according to your orgnization activities. let’s say per your studies, you expect 200 guest users that need network access.
The number of active sessions for radius will be:
14400 + 20000 + 200 = 34 600 radius active sessions.
Per Cisco recommendation for Network Deployment of Cisco ISE.
You have:
1-Small deployment: one node or two nodes running all personas.
2-Medium deployment: two nodes with colocated PAN and MnT and up to 6 PSNs.
3-Large deployment: Dedicated PAN and MnT, up to 50 PSNs.
In this case, the small and medium deployment are enough to meet the requirement of the number calculated above 34 600 active sessions.
But a second factor must be taken into consideration, the number of sites to serve radius connection. If you have more than 1 site, for example 4 sites, and you want to ensure the survivability of authentication in case of WAN failure, the medium is the recommended option because you can put the PAN/MnT node in the HQ Site while 4 PSNs nodes are distributed on your branch sites.
Now if you have more than 5 sites, let’s say 10 sites and you would like to dedicate a PSN for each site while you take care of scalability of your organization, in this case the large deployment type is your option.
Demystify and Simplify 