05-08-2018 06:55 AM
I have a partner that has successfully done a test on deployment ISE at a regional hub with posture happening on 3rd party at the branches, however, we have a few questions
1) A) In the link below, for DHCP/DNS fencing, is there a limit on the number of subnets that can be configured. Say 20,50,100?
ALso, there is a incomplete section - (For more information, see ),
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html
B). Does the IP-Helper allow ISE to selectively provide the correct DHCP for that branch?
2) Since some of the switches do not support URL redirection for posture, the partner statically entered an IP address in the anyconnect profile on ISE. Is that going to cause issues with teh DHCP/DNS method and session ID?
Thanks,
Tim
05-08-2018 09:23 PM
1.A. No data available presently for such limit. I do expect 20 would work.
Regarding the incomplete section, please cite the section and paragraph or go ahead and log a doc bug.
1.B. By specifying ISE as the IP helper address at an SVI of a particular subnet, then ISE should be able to return a DHCP assignment for that subnet.
2. If the NAD not supporting URL redirection, we may either specify a friendly FQDN for an ISE client provisioning portal or use the Call Home setting in ISE Posture profile or use the Auth VLAN.
05-08-2018 09:42 PM
1A) Could we confirm 100 would work?
1B) The documentation bug is here -
2) Is there a guide on when to use each? We hardcoded the discovery address but I recall have session linkage issues in the past.
Auth Vlan - would be for the DHCP/DNS inline type solution, does that allow ISe to respond on behalf of itself with teh discovery address? Is there a flow diagram (I may have missed it)
Thanks Hsing
05-10-2018 03:47 PM
1A. Sorry. No data to confirm whether 100 works.
1B. CDETS ID?
2. Client Provisioning Portal FQDN and Call Home setting are covered in [ISE Lab Guide] ISE 2.2 Update
Configure Third-Party NAD Redirection on ISE 2.1 - Cisco on Auth VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide