https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539689#M500234 <HTML><HEAD></HEAD><BODY><P>1.A. No data available presently for such limit. I do expect 20 would work.</P><P>Regarding the incomplete section, please cite the section and paragraph or go ahead and log a doc bug.</P><P>1.B. By specifying ISE as the IP helper address at an SVI of a particular subnet, then ISE should be able to return a DHCP assignment for that subnet.</P><P></P><P>2. If the NAD not supporting URL redirection, we may either specify a friendly FQDN for an ISE client provisioning portal or use the Call Home setting in ISE Posture profile or use the Auth VLAN.</P></BODY></HTML> Wed, 09 May 2018 04:23:37 GMT hslai 2018-05-09T04:23:37Z https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539688#M500233 <HTML><HEAD></HEAD><BODY><P>I have a partner that has successfully done a test on deployment ISE at a regional hub with posture happening on 3rd party at the branches, however, we have a few questions</P><P></P><P>1) A) In the link below, for DHCP/DNS fencing, is there a limit on the number of subnets that can be configured. Say 20,50,100?<BR />ALso, there is a incomplete section - (For more information, see ),<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html</A></P><P>&nbsp;&nbsp; B). Does the IP-Helper allow ISE to selectively provide the correct DHCP for that branch?</P><P></P><P>2) Since some of the switches do not support URL redirection for posture, the partner statically entered an IP address in the anyconnect profile on ISE.&nbsp; Is that going to cause issues with teh DHCP/DNS method and session ID?</P><P></P><P>Thanks,</P><P></P><P>Tim</P></BODY></HTML> Tue, 08 May 2018 13:55:20 GMT https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539688#M500233 tisnow 2018-05-08T13:55:20Z https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539689#M500234 <HTML><HEAD></HEAD><BODY><P>1.A. No data available presently for such limit. I do expect 20 would work.</P><P>Regarding the incomplete section, please cite the section and paragraph or go ahead and log a doc bug.</P><P>1.B. By specifying ISE as the IP helper address at an SVI of a particular subnet, then ISE should be able to return a DHCP assignment for that subnet.</P><P></P><P>2. If the NAD not supporting URL redirection, we may either specify a friendly FQDN for an ISE client provisioning portal or use the Call Home setting in ISE Posture profile or use the Auth VLAN.</P></BODY></HTML> Wed, 09 May 2018 04:23:37 GMT https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539689#M500234 hslai 2018-05-09T04:23:37Z https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539690#M500238 <HTML><HEAD></HEAD><BODY><P>1A)&nbsp; Could we confirm 100 would work?</P><P></P><P>1B)&nbsp; The documentation bug is here -</P><H3 class="sectiontitle">URL Redirect Mechanism and Auth VLAN</H3><P></P><P>2)&nbsp; Is there a guide on when to use each?&nbsp; We hardcoded the discovery address but I recall have session linkage issues in the past.&nbsp;&nbsp; <BR />Auth Vlan - would be for the DHCP/DNS inline type solution,&nbsp; does that allow ISe to respond on behalf of itself with teh discovery address?&nbsp; Is there a flow diagram (I may have missed it)</P><P></P><P>Thanks Hsing</P></BODY></HTML> Wed, 09 May 2018 04:42:50 GMT https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539690#M500238 tisnow 2018-05-09T04:42:50Z https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539691#M500243 <HTML><HEAD></HEAD><BODY><P>1A. Sorry. No data to confirm whether 100 works.</P><P>1B. CDETS ID?</P><P>2. Client Provisioning Portal FQDN and Call Home setting are covered in <A _jive_internal="true" href="https://community.cisco.com/docs/DOC-76354">[ISE Lab Guide] ISE 2.2 Update</A></P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200604-Configure-Third-Party-NAD-Redirection-on.html">Configure Third-Party NAD Redirection on ISE 2.1 - Cisco</A><SPAN style="font-size: 10pt;"> on Auth VLAN.</SPAN></P></BODY></HTML> Thu, 10 May 2018 22:47:10 GMT https://community.cisco.com/t5/network-access-control/a-few-questions-about-a-cisco-3rd-party-wan-setup/m-p/3539691#M500243 hslai 2018-05-10T22:47:10Z