https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551161#M528593 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P>we have a Health Trust that is split into 7 organisations, who each plan to deploy their own ISE Instances, as well as their own WLCs. Additionally, they each have their own AD domains, separately managed.</P><P></P><P>They would, however, like doctors/staff members to be able to roam among buildings, and authenticate to a common SSID.</P><P></P><P>We could approach this from the perspective of defining each ISE instance in each WLC, and that would probably work. I am looking into whether we could define just the local ISE instance on each WLC, and use ISE RADIUS Proxy to proxy authentications back to a staff member's home ISE instance.</P><P></P><P>Is this worth exploring as a design option? The customer has already dismissed the idea of a central Admin node and PSNs in each Trust.</P><P></P><P></P><P>As a follow-on question, they would like a guest that initially authenticates in one Hospital to be able to roam to any other hospital in the trust w/o having to re-authenticate for a certain duration (days/weeks)...</P><P></P><P></P><P>Best regards,</P><P>Brian</P></BODY></HTML> Mon, 10 Jul 2017 18:22:39 GMT bodonogh 2017-07-10T18:22:39Z https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551161#M528593 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P>we have a Health Trust that is split into 7 organisations, who each plan to deploy their own ISE Instances, as well as their own WLCs. Additionally, they each have their own AD domains, separately managed.</P><P></P><P>They would, however, like doctors/staff members to be able to roam among buildings, and authenticate to a common SSID.</P><P></P><P>We could approach this from the perspective of defining each ISE instance in each WLC, and that would probably work. I am looking into whether we could define just the local ISE instance on each WLC, and use ISE RADIUS Proxy to proxy authentications back to a staff member's home ISE instance.</P><P></P><P>Is this worth exploring as a design option? The customer has already dismissed the idea of a central Admin node and PSNs in each Trust.</P><P></P><P></P><P>As a follow-on question, they would like a guest that initially authenticates in one Hospital to be able to roam to any other hospital in the trust w/o having to re-authenticate for a certain duration (days/weeks)...</P><P></P><P></P><P>Best regards,</P><P>Brian</P></BODY></HTML> Mon, 10 Jul 2017 18:22:39 GMT https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551161#M528593 bodonogh 2017-07-10T18:22:39Z https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551162#M528594 <HTML><HEAD></HEAD><BODY><P>If possible, I would suggest to have ISE instances to join to all these separate domains. More info, see <A href="https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89275&amp;tclass=popup">What's new in ISE Active Directory connector (2016 Berlin)</A></P><P></P><P>Otherwise, we need to rely on RADIUS:user-name patterns to parse out the requests to different external RADIUS servers. This might not work well, especially for tunneled protocols.</P><P></P><P>As for ISE guests, I believe we could have the remote ISE instance to return a group id if the endpoint already registered and authorized based on that group ID.</P></BODY></HTML> Mon, 10 Jul 2017 20:46:14 GMT https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551162#M528594 hslai 2017-07-10T20:46:14Z https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551163#M528595 <HTML><HEAD></HEAD><BODY><P>I don’t see why your radius proxy approach wouldn’t work. It’s not common though. Are you going to create a full mesh of radius proxies between all of the 7 organizations? I think another option may be to create a hub deployment that is co-managed and serves as the border radius instance which serves as a proxy gateway between all of your organizations. Just a thought.</P><P></P><P>As for persistent authentication across hospitals…if you are using WPA2 Enterprise, then the endpoint should reauthenticate without any user intervention. Is there another use case you are trying to address?</P><P></P><P>George</P></BODY></HTML> Mon, 10 Jul 2017 20:56:16 GMT https://community.cisco.com/t5/network-access-control/cisco-wireless-multiple-ise-instances-radius-proxy-query/m-p/3551163#M528595 gbekmezi-DD 2017-07-10T20:56:16Z