ISE Personas Explained

The Cisco ISE platform is made up of a number of different services. These are known a personas. Each of these personas provide a number of different functions.

In this lesson we’re going to be taking a look at the different personas available within Cisco ISE. We’ll take a look at what each of the personas do and how they can be enabled on our ISE nodes.


A Cisco ISE persona determines the service that is provided by an ISE node. For example, policy services node (PSN). I like to think of nodes as ‘what function do I want this ISE node to perform?‘.

Our Cisco ISE node (appliance) can provide a number of services to the network, depending on persona’s enabled.

The persona nodes available on Cisco ISE nodes are:

  • Policy Administration Node (PAN)
  • Monitoring Node (MnT)
  • Policy Service Node (PAN)
  • pxGrid Node

Depending on the design and size of our deployment, will depend on the personas we enable. In addition to this, the personas can be ran on the same appliance or spread across multiple to provide redundancy and availability.

As we proceed through the lesson, we’ll break each of the personas down to understand the services they provide.

Policy Administration Node (PAN)

We’ll start by looing at the policy administration node (PAN). The PAN persona is used by the administrator to login and configure the ISE deployment.

Any configuration made to our ISE deployment will be made on the node with the PAN persona enabled. This node then pushes configuration changes from the PAN to the other nodes within the deployment.

The PAN can be deployed within the following methods, depending on the deployment setup:

  • Standalone
  • Primary
  • Secondary

If we’re deploying ISE in a distributed deployment, we can have a maximum of two nodes with the PAN person enabled. One will act as a primary and the second as the secondary.

Monitoring Node (MnT)

An ISE node with the monitoring persona enabled is used to centrally collect logs and generate user reports. Logs are sent via PAN (Policy Administration Node) and PSN (Policy Service Node) devices to the MnT node.

The node is then used for in-depth monitoring and troubleshooting of the entire network.

Logs are stored for each action that takes place within our network. As such, it’s important that the node running the MnT persona has enough storage for the retention required.

The MnT persona can be deployed using the following methods, depending on the deployment design:

  • Standalone
  • Primary
  • Secondary

As a minimum, at least one node within our deployment needs to be running the MnT persona. It’s also not recommended to run the MnT and PSN personas on the same node.

Policy Service Node (PSN)

An ISE node with the policy service persona enabled acts as the RADIUS entry point for the network.

It’s used to provide the following services to the network:

  • AAA
  • Posture
  • Profiling
  • Guest Access

The policy service node (PSN) evaluates policies configured within ISE and then makes the required decisions. An example being, is the device connecting allowed access to the network?

A number of nodes running the policy service persona can be deployed, depending on the size of the deployment. These nodes can then be used to spread the load of network requests into ISE. We’ll touch more on this on our upcoming lesson on Cisco ISE design.


The final persona that’s available is pxGrid. This persona is used to shared contextual information between external systems and ISE.

Some of the external systems that can be integrated with 

  • Cisco Firepower
  • Cisco DNA-C
  • Cisco Stealthwatch

Information can be shared unidirectionally or bidirectionally with pxGrid using inbuilt APIs.

A great example is the DNA-C appliance. This will hook into Cisco ISE via the pxGrid API. The DNA-C appliance then has the ability to read and gather contextual information regarding users on the network. It then has the ability to make changes to ISE. e.g. SGTs (Security Group Tags).