Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5271
Views
5
Helpful
6
Replies

Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

Go to solution
damode
Level 1
Level 1

‎02-25-2020 08:42 PM - edited ‎02-25-2020 08:58 PM

I have a client who wants to deploy only single ISE node in their environment for wireless guest access.

 

  • Their current DHCP server is configured in AD which is hosted in their datacentre.
  • They are using Meraki MX devices for wireless
  • ISE will be part of Corp network.
  • Their concern is they dont want guest devices accessing the AD server for DHCP/DNS.

 

In this case, I was wondering if I could use ISE as DHCP and DNS server. But I read in docs that these features exist in ISE for third party NAD devices that dont support dynamic or static url redirection.

 

So, my question is, even though the client's NAD device would be Meraki, in that case, can I use ISE as DHCP and DNS server ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Arne Bier

‎02-26-2020 09:01 AM

ISE will always return itself as DNS and it is not a configurable parameter.

This is not intended as production DHCP, rather it was just meant to provide DHCP during AUTH state to address the lack of URL-Redirect feature on certain NADs. I understand the OP's desire to utilize ISE for DHCP server for other purpose, but recommend using the router/switch or a purpose built DHCP server.

View solution in original post

6 Replies 6

Go to solution
marce1000
VIP
VIP

‎02-26-2020 12:35 AM

 

 - Basically not as the below thread will confirm : MS-AD is indeed not a good solution for DHCP, better is to look into appliances such as infoblox or others. These can offer extended and flexible configuration for lots of vlan's and subnets.

     https://community.cisco.com/t5/network-access-control/ise-with-dhcp-server/td-p/3540467

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
damode
Level 1
Level 1
In response to marce1000

‎02-26-2020 12:40 AM

They are already using MS-AD now for DHCP.

The question is whether we can use ISE as DHCP and DNS server for handling wireless guest connections.
0 Helpful

Go to solution
marce1000
VIP
VIP
In response to damode

‎02-26-2020 12:48 AM

 

 - Negative 

    M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
damode
Level 1
Level 1
In response to marce1000

‎02-26-2020 02:15 AM

can you please explain why ?
Also, please recommend an alternative way we can achieve this ?
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to damode

‎02-26-2020 02:26 AM

Hi @damode 

 

it’s a great question and it’s probably not the use case that Cisco intended. But there is no reason why it should not work. 

i have always wanted to test this in my lab but never got around to it. I don’t know if the ISE PSN would Hand out the DNS server to the client. That would be a show stopper if it didn’t. Do you have the opportunity to try this in a lab environment?The function of a single DHCP service should not pose a problem to even a simple Linux daemon. You’re probably not concerned with lease database survivability or complex options?

I would however think this is not in your best interest because there is no way to monitor the scope usage etc or to manage the leases. I’d say look elsewhere. 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Arne Bier

‎02-26-2020 09:01 AM

ISE will always return itself as DNS and it is not a configurable parameter.

This is not intended as production DHCP, rather it was just meant to provide DHCP during AUTH state to address the lack of URL-Redirect feature on certain NADs. I understand the OP's desire to utilize ISE for DHCP server for other purpose, but recommend using the router/switch or a purpose built DHCP server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents