topic Re: ISE with Multiple Interfaces in Network Access Control

ISE with Multiple Interfaces

scottbreslin — Mon, 11 Mar 2019 07:55:00 GMT

Hi,

I have a requirement to deploy an ISE appliance into a customer environment where the management network is separate from the data network.

I understand that GEth0 is dedicated for management access to ISE so, I can assign an IP address to this interface form the management network.

What I don't understand is how I configure Geth1 for authentication traffic such as radius requests.

After I have assigned an IP address to GEth1 from the data facing network how do I tell ISE to use this interface for authentication requests?

Unless I have missed something this does not seem to be documented.

Thanks

Scott

There is configuration on the

jrabinow — Sun, 06 Aug 2017 22:52:21 GMT

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE

Scott,

chatataridge — Mon, 07 Aug 2017 15:50:18 GMT

Scott,

Based on the three bullet points under the Cisco ISE Infrastructure heading (see link below), ISE listens for RADIUS request on all NIC's so no additional configuration is needed. My guess on how to read the chart is that if the service is listed across both columns then the service is active on all NIC;'s. I have not used different NIC's for Admin and RADIUS but have used other NIC's for guest portals.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_appendix_0110.html

Len

Re: Scott,

laurathaqi — Tue, 19 Jan 2021 10:46:30 GMT

Hi Chatataridge,

Have u used Different NIC for Wired Portal traffic or Wireless? If yes, can you please share steps u did to do so. I want to use different NIC (ex: NIC3) for Wired CWA(Guest traffic).

NIC1 + NIC2 Bundle for high availability for Management Traffic,

NIC3 + NIC4 Bundle for High availability for CWA VLAN traffic to Internet. This for Guest

NIC5 + NIC6 Bundle for High Availability for RADIUS Internal Access for Endpoints.

Any suggestions!?

Thank you,

Re: Scott,

Marcelo Morais — Sat, 23 Jan 2021 19:47:59 GMT

Hi @laurathaqi ,

first of all:

. ISE Management is restricted to Gigabit Ethernet 0 (Eth0)

. Eth0, Eth2 and Eth4 must be assigned an IPv4 (or IPv6) address.

. Eth1, Eth3 and Eth5 must not be assigned an IP address.

. RADIUS listens on all NICs

Second:

. configure Bond0 (Eth0+Eth1) for ISE Management.

ise/admin(config)# interface GigabitEthernet 0 
ise/admin(config-GigabitEthernet)# backup interface GigabitEthernet 1

. configure the Guest Portals to point to Bond1 (Eth2+Eth3)

In Work Centers > Guest Access > Portal & Components > Guest Portal ... select Portal Settings > choose Bond1.

. configure the NADs to send the RADIUS packets to Bond2 (Eth4+Eth5)

Hope this helps !!!

Re: Scott,

laurathaqi — Sat, 23 Jan 2021 20:51:41 GMT

Hi,

This is the information I have been after, so many many thanks.

Best,

Laura

Re: ISE with Multiple Interfaces

Jonathan Schultz — Wed, 12 Oct 2022 17:55:03 GMT

When attempting to use a separate interface for management (behind a FW), how does one manipulate routing as the mgmt interface does not have its own VRF to my knowledge.

Re: ISE with Multiple Interfaces

ahollifield — Wed, 12 Oct 2022 19:15:46 GMT

So you do mean gig0 on ISE? Or the CIMC port on appliance? The CIMC interface its completely out of band and has its own routing table. All other ISE interfaces share the same routing table and you manipulate routing using static routes.

Re: ISE with Multiple Interfaces

Jonathan Schultz — Wed, 12 Oct 2022 20:26:38 GMT

Basic routing. Management (Gig0) used for mgmt. access (own routing table). Gig1 used for policy enforcement. (Radius, Tacacs, 802.1x, portal, etc)

Re: ISE with Multiple Interfaces

ahollifield — Wed, 12 Oct 2022 20:30:38 GMT

That’s not how ISE works, all interfaces will respond to RADIUS/TACACS+ (unless controlled by upstream firewall or ACL). Gig0 isn’t a dedicated management port. What is your use-case for this?

Re: ISE with Multiple Interfaces

Jonathan Schultz — Wed, 12 Oct 2022 20:39:38 GMT

Not give my end users, specifically Sponsored Guests access to the Mgmt plane

Re: ISE with Multiple Interfaces

ahollifield — Thu, 13 Oct 2022 11:34:34 GMT

There isn't a concept of a "management plane" in ISE. Sponsor Groups would cover your need for RBAC of certain guest types. If I am understanding your requirement.

Re: ISE with Multiple Interfaces

tfrechette — Wed, 25 Sep 2024 18:19:05 GMT

For routing.....Will this work?

Gig0 ip add 192.168.66.253 255.255.255.0

ip default-gateway 192.168.66.1

Gig 1

IP add 192.168.70.253 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.70.1

Re: ISE with Multiple Interfaces

ahollifield — Wed, 25 Sep 2024 21:09:37 GMT

Depends. Does this match what you need in your environment? https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

Re: ISE with Multiple Interfaces

tfrechette — Wed, 25 Sep 2024 21:33:45 GMT

Is this how you configure the routing?

ip default-gateway x.x.x.x for Eth0 interface (gui mgmt)

and ..

ip route 0.0.0.0 0.0.0 x.x.x.x for the Eth 2/3 (bonded) interface, fiber SFP ports on riser (authentication traffic, etc)

Re: ISE with Multiple Interfaces

ahollifield — Thu, 26 Sep 2024 19:33:23 GMT

Depends. Does this match what you need in your environment? https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

I would HIGHLY suggest making a new post versus commenting on a post from 2017.