topic Re: Add multiple Network devices in same group in Cisco ISE in Network Access Control

Add multiple Network devices in same group in Cisco ISE

Draken — Wed, 09 Oct 2024 09:19:47 GMT

Hi.
First post ever so I might be doing this wrong....

I am to add a new /24 network in an existing Network Device list.
This due to the existing IP range is for a temporary setup still running in a temporary location and I am now setting up the permanent site in another IP range in same "group" as i want to keep the name.

I just want to know 2 things.

1. Is this OK, i do not "disturb" the temporary setup as that site is in full "production"

2. Is there any rule/to think about how i put the order of the networks (like an access-list)

Re: Add multiple Network devices in same group in Cisco ISE

MHM Cisco World — Wed, 09 Oct 2024 09:28:30 GMT

Check if you get your answer from link below

https://www.grandmetric.com/knowledge-base/design_and_configure/cisco-ise-3-0-nad/

MHM

Re: Add multiple Network devices in same group in Cisco ISE

Rob Ingram — Wed, 09 Oct 2024 09:59:47 GMT

@Draken instead of modifying an existing NAD object, just create a new NAD with the new IP address range, define the shared secret and specify the correct location and Device Type group any other specific settings. The incoming request will match the NAD based on the source IP address.

There is no ACL that I am aware of to order the network, it will depend on the incoming IP address received by ISE.

Re: Add multiple Network devices in same group in Cisco ISE

Marvin Rhoads — Wed, 09 Oct 2024 14:19:04 GMT

We don't generally put entire networks in the network device list. We put the actual address of individual network devices.

Re: Add multiple Network devices in same group in Cisco ISE

Draken — Wed, 09 Oct 2024 14:53:18 GMT

Thanks, I will read this.

//Draken

Re: Add multiple Network devices in same group in Cisco ISE

Draken — Wed, 09 Oct 2024 14:55:09 GMT

Hi.

I thought that this would be the case but i wanted to keep my existing name.
But i do it the easy (and most correct) way and configure a new NAD.

Thanks

//Draken

Re: Add multiple Network devices in same group in Cisco ISE

Draken — Wed, 09 Oct 2024 14:58:21 GMT

Hi Marvin,

Well the /24 is the range for my network equipment at that site won´t be anything else in there.

But maybe i should reconsider as best and secure practice?

Re: Add multiple Network devices in same group in Cisco ISE

Arne Bier — Wed, 09 Oct 2024 22:56:14 GMT

Whilst it's handy to use subnet ranges in the ISE Network Devices definition, my main concern with it is that when you look at Live Logs, you won't see exactly which device sent the request - you will see the name you've assigned to the entire subnet. You have to click on each Live Log to reveal the NAS IP Address details. If that doesn't bother you, then the next concern would be "security" - however, the attacker might add themselves into the LAN and talk to ISE if it knew the RADIUS shared secret. I don't know if security is the main concern - it's just tidier to have /32's in ISE, and it also allows for easier auditing - e.g. in a /24 subnet, you will never know how many RADIUS clients you have - on the other hand, if you specify each one as a /32, then you have a clear and documented audit of that subnet's devices.

I would assume that for large customers that e.g. have a subnet just for Meraki WAPs, they might rather use subnet notation in ISE, rather than adding thousands of WAPs into ISE.

Horses for courses.

Re: Add multiple Network devices in same group in Cisco ISE

Draken — Fri, 11 Oct 2024 07:48:04 GMT

Hi Arne.

Thanks for a good input, will take this to the team.

//Michael