https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278567#M149051 <HTML><HEAD></HEAD><BODY><P>Hello Amjad,</P><P></P><P>For External Idenity sources Cisco ISE would use Eth0 as the default and only interface to communicate with them. But in case of exteranl RADIUS proxy request its not bounded to Eth0 interface and rather depends on the route on Cisco ISe.</P><P></P><P>Hope this answers the query</P><P></P><P>Thanks</P><P></P><P>Kumar</P></BODY></HTML> Tue, 15 Oct 2013 07:23:32 GMT kmittal 2013-10-15T07:23:32Z https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278562#M148791 <P>Hello,</P><P></P><P>I am deploying Cisco ISE 1.2 in a distributed deployment and the requirement is to use external Radius proxy feature. ISE PSNs are designed to have 2 L3 NIC's, Eth0 for administration and Eth1 as client side facing NIC for Radius requests. I am interested to know would Cisco ISE in version 1.2 use Eth1 interface to send RADIUS&nbsp; authentication request to external RADIUS Proxy server.</P><P></P><P>Could not find above information in <SPAN style="font-size: 10pt;">Cisco SNS-3400 Series Appliance Ports Reference.</SPAN></P><P></P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html" target="_blank">http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html</A></P><P></P><P></P><P>Thanks</P><P></P><P>Kumar</P> Mon, 11 Mar 2019 03:56:37 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278562#M148791 kmittal 2019-03-11T03:56:37Z https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278563#M148826 <HTML><HEAD></HEAD><BODY><P>Hi Kumar,</P><P></P><P>I believe you need to move the question to ACS/Identity and NAC section, it will be more accessible by the ISE experts.</P><P></P><P>Anyway, ISE can support External RADIUS server as External Identity source, and this can be done though any interface like the Gig0 which is MGMT one.</P><P></P><P>You can consider your server like the AD as example, and the ISE will use Gig0 for traffic forwarding to any other parties used on the configuration.</P><P></P><P>Please check this:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1098609">http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1098609</A></P><P></P><P>Thanks.</P><P>Ahmad.</P></BODY></HTML> Sat, 28 Sep 2013 15:39:42 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278563#M148826 Ahmad Murad 2013-09-28T15:39:42Z https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278564#M148863 <HTML><HEAD></HEAD><BODY><P>Thanks Ahmad for the reply.</P><P></P><P>Cisco ISE uses standard RADIUS authentication and authorization port to send request to Exteranl RADIUS proxy. As per the interface/port refrence guide of version 1.2 this is listed that is causing a confusion :-</P><P></P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 712px;"><TBODY><TR style="height: 15.0pt;"><TD height="20" style="height: 15.0pt; width: 86pt;" width="114"><BR /></TD><TD style="width: 143pt;" width="191"><BR /></TD><TD style="width: 161pt;" width="215">Eth0</TD><TD style="width: 48pt;" width="64">Eth1</TD><TD style="width: 48pt;" width="64">Eth2</TD><TD style="width: 48pt;" width="64">Eth3</TD></TR><TR style="height: 96.0pt;"><TD height="400" rowspan="2" style="height: 300.0pt;">Policy&nbsp;&nbsp; Service node</TD><TD>Session</TD><TD align="left" colspan="4" height="128" style="height: 96.0pt; width: 305pt;" valign="top" width="407"><TABLE cellpadding="0" cellspacing="0"><TBODY><TR><TD colspan="4" height="128" style="height: 96.0pt; width: 305pt;" width="407"><BR /> •UDP:1645, 1812 (RADIUS Authentication)<BR /> <BR /> •UDP:1646, 1813 (RADIUS Accounting)<BR /> <BR /> •UDP: 1700 (RADIUS change of authorization Send)<BR /> <BR /> •UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)</TD></TR></TBODY></TABLE></TD></TR><TR style="height: 204.0pt;"><TD height="272" style="height: 204.0pt; width: 143pt;" width="191">External&nbsp;&nbsp; Identity Stores <BR /> and Resources</TD><TD align="left" style="width: 161pt;" valign="top" width="215"><TABLE cellpadding="0" cellspacing="0"><TBODY><TR><TD height="272" style="height: 204.0pt; width: 161pt;" width="215"><BR /> •TCP: 389, 3268, UDP: 389 (LDAP)<BR /> <BR /> •TCP: 445 (SMB)<BR /> <BR /> •TCP: 88, UDP: 88 (KDC)<BR /> <BR /> •TCP: 464 (KPASS)<BR /> <BR /> •UDP: 123 (NTP)<BR /> <BR /> •TCP: 53, UDP: 53 (DNS)<BR /> <BR /> (Admin user interface authentication and endpoint authentication)</TD></TR></TBODY></TABLE></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD></TR></TBODY></TABLE><P></P><P></P><P>In external Identity Stores and Resources it says Eth0 is used for <SPAN style="font-size: 10pt;">(Admin user interface authentication and endpoint authentication), where under sessions it lists that all ports can be used for RADIUS Authentication and Authorization.</SPAN></P><P></P><P>I am not sure what I am missing to understand between the two if you can highlight that.</P><P></P><P>Thanks</P><P></P><P>Kumar</P></BODY></HTML> Sat, 28 Sep 2013 22:18:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278564#M148863 kmittal 2013-09-28T22:18:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278565#M148915 <HTML><HEAD></HEAD><BODY><P>Hi Ahmed,</P><P></P><P>Did a TCP dump on eth1 interface and I could c the external radius proxy traffic being sent through Eth1 interface of ISE. It will put the complete setup and let you know the final results.</P><P></P><P>Thanks</P><P></P><P>Kumar</P></BODY></HTML> Mon, 30 Sep 2013 07:08:10 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278565#M148915 kmittal 2013-09-30T07:08:10Z https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278566#M148970 <HTML><HEAD></HEAD><BODY><P>Hi Kumar,</P><P></P><P>Any update about your setup?</P><P>I'm asking because I need similar thing with different identity source and need to check if it is applicable or not.</P><P></P><P>Thanks.</P><P>Ahmad.</P></BODY></HTML> Thu, 03 Oct 2013 13:29:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278566#M148970 Ahmad Murad 2013-10-03T13:29:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278567#M149051 <HTML><HEAD></HEAD><BODY><P>Hello Amjad,</P><P></P><P>For External Idenity sources Cisco ISE would use Eth0 as the default and only interface to communicate with them. But in case of exteranl RADIUS proxy request its not bounded to Eth0 interface and rather depends on the route on Cisco ISe.</P><P></P><P>Hope this answers the query</P><P></P><P>Thanks</P><P></P><P>Kumar</P></BODY></HTML> Tue, 15 Oct 2013 07:23:32 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-with-multiple-network-interface/m-p/2278567#M149051 kmittal 2013-10-15T07:23:32Z