10-09-2024 02:19 AM
Hi.
First post ever so I might be doing this wrong....
I am to add a new /24 network in an existing Network Device list.
This due to the existing IP range is for a temporary setup still running in a temporary location and I am now setting up the permanent site in another IP range in same "group" as i want to keep the name.
I just want to know 2 things.
1. Is this OK, i do not "disturb" the temporary setup as that site is in full "production"
2. Is there any rule/to think about how i put the order of the networks (like an access-list)
Solved! Go to Solution.
10-09-2024 02:59 AM
@Draken instead of modifying an existing NAD object, just create a new NAD with the new IP address range, define the shared secret and specify the correct location and Device Type group any other specific settings. The incoming request will match the NAD based on the source IP address.
There is no ACL that I am aware of to order the network, it will depend on the incoming IP address received by ISE.
10-09-2024 03:56 PM
Whilst it's handy to use subnet ranges in the ISE Network Devices definition, my main concern with it is that when you look at Live Logs, you won't see exactly which device sent the request - you will see the name you've assigned to the entire subnet. You have to click on each Live Log to reveal the NAS IP Address details. If that doesn't bother you, then the next concern would be "security" - however, the attacker might add themselves into the LAN and talk to ISE if it knew the RADIUS shared secret. I don't know if security is the main concern - it's just tidier to have /32's in ISE, and it also allows for easier auditing - e.g. in a /24 subnet, you will never know how many RADIUS clients you have - on the other hand, if you specify each one as a /32, then you have a clear and documented audit of that subnet's devices.
I would assume that for large customers that e.g. have a subnet just for Meraki WAPs, they might rather use subnet notation in ISE, rather than adding thousands of WAPs into ISE.
Horses for courses.
10-09-2024 02:28 AM
Check if you get your answer from link below
https://www.grandmetric.com/knowledge-base/design_and_configure/cisco-ise-3-0-nad/
MHM
10-09-2024 07:53 AM
Thanks, I will read this.
//Draken
10-09-2024 02:59 AM
@Draken instead of modifying an existing NAD object, just create a new NAD with the new IP address range, define the shared secret and specify the correct location and Device Type group any other specific settings. The incoming request will match the NAD based on the source IP address.
There is no ACL that I am aware of to order the network, it will depend on the incoming IP address received by ISE.
10-09-2024 07:55 AM
Hi.
I thought that this would be the case but i wanted to keep my existing name.
But i do it the easy (and most correct) way and configure a new NAD.
Thanks
//Draken
10-09-2024 07:19 AM
We don't generally put entire networks in the network device list. We put the actual address of individual network devices.
10-09-2024 07:58 AM
Hi Marvin,
Well the /24 is the range for my network equipment at that site won´t be anything else in there.
But maybe i should reconsider as best and secure practice?
10-09-2024 03:56 PM
Whilst it's handy to use subnet ranges in the ISE Network Devices definition, my main concern with it is that when you look at Live Logs, you won't see exactly which device sent the request - you will see the name you've assigned to the entire subnet. You have to click on each Live Log to reveal the NAS IP Address details. If that doesn't bother you, then the next concern would be "security" - however, the attacker might add themselves into the LAN and talk to ISE if it knew the RADIUS shared secret. I don't know if security is the main concern - it's just tidier to have /32's in ISE, and it also allows for easier auditing - e.g. in a /24 subnet, you will never know how many RADIUS clients you have - on the other hand, if you specify each one as a /32, then you have a clear and documented audit of that subnet's devices.
I would assume that for large customers that e.g. have a subnet just for Meraki WAPs, they might rather use subnet notation in ISE, rather than adding thousands of WAPs into ISE.
Horses for courses.
10-11-2024 12:47 AM - edited 10-11-2024 12:48 AM
Hi Arne.
Thanks for a good input, will take this to the team.
Br
//Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide