topic Re: Cisco ISE dedicate Guest Interface in Network Access Control

Cisco ISE dedicate Guest Interface

Leonardo Santana — Fri, 09 Aug 2024 13:19:34 GMT

Hi,

Our customer has two Cisco ISE deployeds like this:

Gig0: Management Only (HTTPS/SSH), TACACS+/RADIUS to/from NADs and Guest

We need to configure a separate interface for Guest Access in the DMZ, so the configuration will be like this:

Gig0: Management Only (HTTPS/SSH), TACACS+/RADIUS

Gig2: Guest Interface (Tied to WebAuth Portal)

Its necessary to create static route for my guest interface?

Re: Cisco ISE dedicate Guest Interface

MHM Cisco World — Fri, 09 Aug 2024 13:22:59 GMT

Check this

https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/td-p/4034493

MHM

Re: Cisco ISE dedicate Guest Interface

Rob Ingram — Fri, 09 Aug 2024 13:30:48 GMT

@Leonardo Santana yes, you need to configure a static route on each PSN hosting the Guest portal for traffic to/from dedicated the guest interface using the command

ip route 0.0.0.0 0.0.0.0 <next hop ip>

Re: Cisco ISE dedicate Guest Interface

Leonardo Santana — Fri, 09 Aug 2024 13:34:50 GMT

Hi Rob,

Thanks for your answer. After configuring the ip route how ISE will select the correct interface at show ip route?

Re: Cisco ISE dedicate Guest Interface

MHM Cisco World — Fri, 09 Aug 2024 13:36:37 GMT

Friend

Check link you will get answer for your Q' there is also ciscolive check it

MHM

Re: Cisco ISE dedicate Guest Interface

Rob Ingram — Fri, 09 Aug 2024 13:41:12 GMT

@Leonardo Santana the traffic to/from the Eth0 interface would be routed via the gateway defined with the default-gateway command. Whereas traffic to/from the dedicated interface for the guest portal would use the gateway as per ip route command.

Re: Cisco ISE dedicate Guest Interface

Leonardo Santana — Fri, 09 Aug 2024 14:12:15 GMT

Rob,

Like this, a ip route 0.0.0.0 0.0.0.0 pointing to he default gw of my guest network.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/cli_guide/b_ise_CLIReferenceGuide_27/b_ise_CLIReferenceGuide_27_chapter_011.html#wp3952387991

ISE InterfaceIPNetworkGateway
192.168.114.10 192.168.114.0 192.168.114.1
192.168.115.10 192.168.115.0 192.168.115.1
192.168.116.10 192.168.116.0 192.168.116.1
192.168.117.10 192.168.117.0 192.168.117.1

The ip route command is used here to define default routes for each interface.


ise/admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.114.1
ise/admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.115.1
ise/admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.116.1
ise/admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.117.1
ise/admin(config)# ip default-gateway 192.168.118.1

Re: Cisco ISE dedicate Guest Interface

Rob Ingram — Fri, 09 Aug 2024 14:22:27 GMT

@Leonardo Santana example from an implementation I designed, where Gi1 interface was dedicated for Guest traffic.

PSN-1/admin (config)# interface GigabitEthernet 1
PSN-1/admin (config-GigabitEthernet)# ip address 172.21.1.68 255.255.255.224

% Changing the IP address might cause ise services to restart
Continue with IP address change? Y/N [N]: Y

------SERVICES RESTART-------

PSN-1/admin (config-GigabitEthernet)# exit
PSN-1/admin (config)# ip route 0.0.0.0 0.0.0.0 172.21.1.65

Re: Cisco ISE dedicate Guest Interface

peter.matuska1 — Fri, 09 Aug 2024 14:42:04 GMT

we always configure default route via G0 and 1 or more static routes for guest user subnets via G2 in your case and it works.