During an active authentication, PSNs operate autonomously and typically do not need to interact with the PAN to make a decision.
The interaction is structured as follows:
Policy Synchronization (Pre-Authentication): The PAN acts as the central control centre, maintaining the master database of security policies. It replicates this entire database to all PSNs in the "ISE cube," ensuring they have the local information required to handle requests independently.
Autonomous Evaluation: When a Network Access Device (NAD) sends a RADIUS request, the PSN processes it using its local copy of the policy. It does not query the PAN for "permission" during the authentication flow.
Data Updates (Post-Authentication): If a PSN learns new data about an endpoint during the session—such as profiling attributes or guest user information—it synchronizes that information back to the Primary PAN. The PAN then pushes that update to all other nodes in the deployment to ensure consistency across the network.
Because of this design, authentications can continue even if the PAN is offline, though you wouldn't be able to modify any policies until the PAN is restored or a secondary is promoted.
