https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914446#M36485 <P>Indeed, just want to add two remarks:</P> <P>The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement</P> <P>Second: if you want to use a ISE guest <B><I>portal</I></B> to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.</P> Wed, 27 Apr 2016 20:43:38 GMT jwmolenaar 2016-04-27T20:43:38Z https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914443#M36482 <P>Hi guys</P> <P></P> <P>We are planning to deploy a Cisco ISE server to manage NAC for 300 users (Windows, WYSE, Avaya phones and HP printers). DHCP is running on the DC and the ISE interface has Layer 2 visibility of the whole network segment its managing.</P> <P></P> <P>We have just received an additional requirement for a dedicated/completely segregated switch VLAN which provides unrestricted Internet access. It would be connected to a third party Internet-facing router allowing connections directly on to the internet. Effectively, its a completely segregated network of a single VLAN and Internet access.</P> <P>&nbsp;</P> <P>Would it be possible to manage port-security for this VLAN from the ISE server? If so, would the ISE server need an additional NIC configured in the subnet of the Internet VLAN?</P> <P></P> <P>Basically, i'm wondering if a single ISE server can be used to manage 2 completely independent networks. The internet network would not use AD authentication and access would have to be granted manually on a case by case basis.</P> <P></P> <P>Many thanks</P> <P></P> <P>M</P> <P><SPAN style="color: #1f497d;"></SPAN></P> Mon, 11 Mar 2019 06:42:39 GMT https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914443#M36482 kuzminsk1 2019-03-11T06:42:39Z https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914444#M36483 <P>Just to clarify - the Internet VLAN will be defined on teh same switches as the main network.</P> Wed, 27 Apr 2016 09:09:57 GMT https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914444#M36483 kuzminsk1 2016-04-27T09:09:57Z https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914445#M36484 <P>Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.</P> <P>As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.</P> Wed, 27 Apr 2016 20:23:31 GMT https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914445#M36484 jan.nielsen 2016-04-27T20:23:31Z https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914446#M36485 <P>Indeed, just want to add two remarks:</P> <P>The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement</P> <P>Second: if you want to use a ISE guest <B><I>portal</I></B> to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.</P> Wed, 27 Apr 2016 20:43:38 GMT https://community.cisco.com/t5/network-access-control/ise-server-multiple-networks-query/m-p/2914446#M36485 jwmolenaar 2016-04-27T20:43:38Z