https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491342#M527699 <HTML><HEAD></HEAD><BODY><P>Ahh the fact that you are doing OOB management is an important piece of information not in the original post.&nbsp; </P><P></P><P>So assuming your ISE nodes are in the normal production network as you said you have two options:</P><P></P><P>1) You can take a 2nd interface off your ISE nodes and put them into the OOB network.</P><P></P><P>2) Allow traffic from the OOB to the normal production network for TACACS purposes only.</P><P></P><P>If there is already some mechanism in place to leak traffic from the OOB network to the production network then I would probably go #2, but if not #1 would work fine as well.</P></BODY></HTML> Mon, 14 Aug 2017 12:16:06 GMT paul 2017-08-14T12:16:06Z https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491338#M527695 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">Hello team,</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">On CISCo ISE: </SPAN></P><P><SPAN style="font-size: 10pt;">Is it a best practice to use the interface Giga eth0 (dedicated to management) as a port for Device Administration Service <SPAN style="color: #3d3d3d; font-family: arial; background-color: #f0f9fe;">to manage administrative access for Cisco IOS based network devices (AAA, TACACS or RADIUS)?</SPAN></SPAN></P><P><SPAN style="color: #3d3d3d; font-size: 10pt; background-color: #f0f9fe; font-family: arial;"><BR /></SPAN></P><P><SPAN style="color: #3d3d3d; font-size: 10pt; background-color: #f0f9fe; font-family: arial;">I have <SPAN style="color: #3d3d3d; font-family: arial; font-size: 13.3333px;">Cisco ISE HA in Small Deployment Network (with two node of ISE)</SPAN></SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 10pt; background-color: #f0f9fe;"><BR /></SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 10pt; background-color: #f0f9fe;">Best regards</SPAN></P><P><SPAN style="color: #3d3d3d; font-size: 10pt; background-color: #f0f9fe; font-family: arial;">Jordi</SPAN></P></BODY></HTML> Fri, 11 Aug 2017 08:28:14 GMT https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491338#M527695 jordi.cano 2017-08-11T08:28:14Z https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491339#M527696 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I am moving your post to the Security ISE community for better visibility and access to information.</P><P></P><P><A href="https://community.cisco.com/space/5301">Identity Services Engine (ISE)</A></P><P></P><P>Thank you for participating in the community.</P><P>Kelli Glass</P><P>Moderator for Cisco Customer Communities</P></BODY></HTML> Fri, 11 Aug 2017 20:23:40 GMT https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491339#M527696 keglass 2017-08-11T20:23:40Z https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491340#M527697 <HTML><HEAD></HEAD><BODY><P>I use a single interface on all my ISE nodes except in the case where I need a Guest portal running in a DMZ.&nbsp; Keep things simple and use a single interface.</P></BODY></HTML> Fri, 11 Aug 2017 21:13:19 GMT https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491340#M527697 paul 2017-08-11T21:13:19Z https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491341#M527698 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I totally agree to seek simplicity, that is the reason for my question.</P><P></P><P>Keep in mind that the AAA traffic is located in an Out-of-band network of an extensive network.</P><P></P><P>The two options I have are:</P><P>1- AAA traffic of any equipment to the ISE Management Port (same network)</P><P>2- AAA TRAFFIC of any equipment to the service port of the ISE (NAT or a New VRFfor example).</P><P></P><P>Which of the two options is most appropriate?</P><P></P><P>Best regards</P></BODY></HTML> Mon, 14 Aug 2017 11:31:19 GMT https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491341#M527698 jordi.cano 2017-08-14T11:31:19Z https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491342#M527699 <HTML><HEAD></HEAD><BODY><P>Ahh the fact that you are doing OOB management is an important piece of information not in the original post.&nbsp; </P><P></P><P>So assuming your ISE nodes are in the normal production network as you said you have two options:</P><P></P><P>1) You can take a 2nd interface off your ISE nodes and put them into the OOB network.</P><P></P><P>2) Allow traffic from the OOB to the normal production network for TACACS purposes only.</P><P></P><P>If there is already some mechanism in place to leak traffic from the OOB network to the production network then I would probably go #2, but if not #1 would work fine as well.</P></BODY></HTML> Mon, 14 Aug 2017 12:16:06 GMT https://community.cisco.com/t5/network-access-control/ise-device-administration-service/m-p/3491342#M527699 paul 2017-08-14T12:16:06Z