topic My situation is similar in Network Access Control

ISE Network Interfaces

desweiler — Mon, 11 Mar 2019 04:52:33 GMT

Hello,

we have placed the ISE in a DMZ. The NIC 0 is used for Administration of the ISE.

The Switches send their RADIUS requests to the ISE via an out-of-band-management network which is connected to the DMZ though a Firewall.

What if I want to use CWA. I understand that the Guest/Sponsor Portal needs to be reachable via the Clients Network. I can use a dedicated NIC on the ISE for this connection. So GIG0 is mgmt (in DMZ) and GIG1 is Guest/Sponsor-Portal (not in DMZ).

What about security? Does the ISE route between the connected NICs? If it does, can I put a Firewall between the Client Network and the Guest-Portal NIC?

What is best Practise here?

Good question! I would like

nspasov — Fri, 18 Jul 2014 00:55:37 GMT

Good question! I would like to know the answer to as well!

My situation is similar

Ryan Coombs — Fri, 18 Jul 2014 16:01:01 GMT

My situation is similar however the opposite. We have ISE in our Enterprise MNGT zone (not in DMZ). NIC0 for mngt and accessible for us to manage from inside our network. For the guests using CWA we've created a VRF for Guest-Users to route to ISE but using NIC3 only which resides in our DMZ and blocks access to our regulatory network. This is required because the client needs to reach ISE on "nic3" for it to present the Guest Portal (Layer3). Also the client will need to receive a DHCP address beforehand to speak with ISE on its nic3, so we also have a DHCP server hanging off the guest VRF along with a interface on our WLC. The WLC on the DMZ is configured as an anchor controller and there is no need to poke any holes in our firewall. To sum it up, we use NIC0 for mngt & radius requests but after the client connects to our WLC (Guest-WiFi) the controller talks to ISE layer2 via NIC0, after MAB is performed (mac filtering on the WLC) its get a permit back allowing the client to recieve DHCP and DNS, then after a web page is attempted our redirect ACL on the WLC sends the client to ISE NIC3 which hosts our Guest Portal. So at no time do they touch our inside network.

We are running ISE 1.2 patch 8 for your reference. Hopefully that helps some. I'm still learning one phase at a time.

The ISE interfaces do not and

Tarik Admani — Tue, 22 Jul 2014 01:48:33 GMT

The ISE interfaces do not and should not route between it's interfaces. They have to exist on separate layer 3 networks and you can add routes on the cli if the clients exist multiple hops away from the interface itself.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html#81419

Hi,Yes, ISE cannot perform

abwahid — Tue, 05 Aug 2014 13:15:03 GMT

Hi,

Yes, ISE cannot perform routing between its interfaces, and the document link which Tarik shared, it is detailed installation guide, plz go through, it will definitely help you out.

Thanks.