cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
378
Views
4
Helpful
8
Replies

Add multiple Network devices in same group in Cisco ISE

Draken
Level 1
Level 1

Hi. 
First post ever so I might be doing this wrong....

I am to add a new /24 network in an existing Network Device list.
This due to the existing IP range is for a temporary setup still running in a temporary location and I am now setting up the permanent site in another IP range in same "group" as i want to keep the name.

I just want to know 2 things.

1. Is this OK, i do not "disturb" the temporary setup as that site is in full "production"

2. Is there any rule/to think about how i put the order of the networks (like an access-list)

Draken_1-1728465204435.png

 

 

2 Accepted Solutions

Accepted Solutions

@Draken instead of modifying an existing NAD object, just create a new NAD with the new IP address range, define the shared secret and specify the correct location and Device Type group any other specific settings. The incoming request will match the NAD based on the source IP address.

There is no ACL that I am aware of to order the network, it will depend on the incoming IP address received by ISE.

View solution in original post

Whilst it's handy to use subnet ranges in the ISE Network Devices definition, my main concern with it is that when you look at Live Logs, you won't see exactly which device sent the request - you will see the name you've assigned to the entire subnet. You have to click on each Live Log to reveal the NAS IP Address details. If that doesn't bother you, then the next concern would be "security" - however, the attacker might add themselves into the LAN and talk to ISE if it knew the RADIUS shared secret. I don't know if security is the main concern - it's just tidier to have /32's in ISE, and it also allows for easier auditing - e.g. in a /24 subnet, you will never know how many RADIUS clients you have - on the other hand, if you specify each one as a /32, then you have a clear and documented audit of that subnet's devices.

I would assume that for large customers that e.g. have a subnet just for Meraki WAPs, they might rather use subnet notation in ISE, rather than adding thousands of WAPs into ISE. 

Horses for courses.

View solution in original post

8 Replies 8

Thanks, I will read this. 

//Draken

 

@Draken instead of modifying an existing NAD object, just create a new NAD with the new IP address range, define the shared secret and specify the correct location and Device Type group any other specific settings. The incoming request will match the NAD based on the source IP address.

There is no ACL that I am aware of to order the network, it will depend on the incoming IP address received by ISE.

Hi.

I thought that this would be the case but i wanted to keep my existing name.
But i do it the easy (and most correct) way and configure a new NAD.

Thanks

//Draken

Marvin Rhoads
Hall of Fame
Hall of Fame

We don't generally put entire networks in the network device list. We put the actual address of individual network devices.

Hi Marvin,

Well the /24 is the range for my network equipment at that site won´t be anything else in there.

But maybe i should reconsider as best and secure practice?

Whilst it's handy to use subnet ranges in the ISE Network Devices definition, my main concern with it is that when you look at Live Logs, you won't see exactly which device sent the request - you will see the name you've assigned to the entire subnet. You have to click on each Live Log to reveal the NAS IP Address details. If that doesn't bother you, then the next concern would be "security" - however, the attacker might add themselves into the LAN and talk to ISE if it knew the RADIUS shared secret. I don't know if security is the main concern - it's just tidier to have /32's in ISE, and it also allows for easier auditing - e.g. in a /24 subnet, you will never know how many RADIUS clients you have - on the other hand, if you specify each one as a /32, then you have a clear and documented audit of that subnet's devices.

I would assume that for large customers that e.g. have a subnet just for Meraki WAPs, they might rather use subnet notation in ISE, rather than adding thousands of WAPs into ISE. 

Horses for courses.

Hi Arne.

Thanks for a good input, will take this to the team.

Br

//Michael