topic Re: ISE separate interface for guest in Network Access Control

ISE separate interface for guest

de1denta — Fri, 21 Feb 2020 18:56:27 GMT

Hi All,

I'm currently designing a ISE solution to provide gust access with web authentication and I want to assign separate interfaces on the ISE appliances so we dont need to punch holes through our main firewall. I have seen that this is possible in various support community conversations/design guides, however, I'm looking to place the ISE guest interfaces directly on the same VLAN that guest users will be placed on but I cant see if this is recommended or not.

The reason I want to do this is for simplicity so no need to even create a separate DMZ etc. Has anyone does this before? Does the ISE interface for guest listen on any other ports than what has been set for the CWA portal?

Many thanks

Re: ISE separate interface for guest

Francesco Molino — Mon, 21 May 2018 04:00:50 GMT

Yes sure this is something that’s often done.

Your switch or WLC will talk to radius using the default interface (or radius specific interface if you have any). The radius will reply with guest interface as URL redirect if you configured so on the portal itself. This is where you define which interface listen for portal ports.

As soon as URL redirect is pushed, guest users will be pushed a guest vlan within dmz zone where they can reach ISE 2nd interface and avoid opening ports on your FW.

You can extended your DMZ vlan to this 2nd ISE interface to make sure guests won’t sit in your lan.

Usually, what I do is keeping default interface for management, then add a dedicated interface for radius/tacacs and 3rd one for guests.

Re: ISE separate interface for guest

de1denta — Mon, 21 May 2018 07:16:38 GMT

Hi Francesco,

Thank you for the response. That make sense.

In this particular environment we are looking to included a wired guest network as well which will be in a separate VLAN. In this instance should we use 3 interfaces on ISE? Default interface for management/Radius etc, one interface for Wireless Guest and one interface for Wired Guest?

In your environments, would you normally have wireless and wired guest in the same VLAN or split them out? I'm just conscious that I'm making this more complex then it needs to be.

Thank you

Re: ISE separate interface for guest

Francesco Molino — Tue, 22 May 2018 00:06:32 GMT

For my point of view wired guest and wireless guest should be in separated vlans but in the same zone. This means that only 1 interface on ISE can handle both.

Re: ISE separate interface for guest

de1denta — Tue, 22 May 2018 06:53:15 GMT

Thanks Francesco,

When you say 'Zone' do you mean a common DMZ interface that is accessible from both the Wired and Wireless guest networks?

Re: ISE separate interface for guest

Francesco Molino — Thu, 24 May 2018 00:22:32 GMT

Yes I meant DMZ interface. When clients (either wifi and wired) are redirected to guest portal, they'll be pushed to a specific vlans that needs to be able to reach ISE guest/dmz interface.