Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

425
Views
0
Helpful
6
Replies
Highlighted
damode
Beginner
Beginner
‎02-25-2020 08:42 PM
‎02-25-2020 08:42 PM

Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

I have a client who wants to deploy only single ISE node in their environment for wireless guest access.

 

  • Their current DHCP server is configured in AD which is hosted in their datacentre.
  • They are using Meraki MX devices for wireless
  • ISE will be part of Corp network.
  • Their concern is they dont want guest devices accessing the AD server for DHCP/DNS.

 

In this case, I was wondering if I could use ISE as DHCP and DNS server. But I read in docs that these features exist in ISE for third party NAD devices that dont support dynamic or static url redirection.

 

So, my question is, even though the client's NAD device would be Meraki, in that case, can I use ISE as DHCP and DNS server ?

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
howon
Cisco Employee
Cisco Employee
‎02-26-2020 09:01 AM
‎02-26-2020 09:01 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

ISE will always return itself as DNS and it is not a configurable parameter.

This is not intended as production DHCP, rather it was just meant to provide DHCP during AUTH state to address the lack of URL-Redirect feature on certain NADs. I understand the OP's desire to utilize ISE for DHCP server for other purpose, but recommend using the router/switch or a purpose built DHCP server.

View solution in original post

0 Helpful
Reply
6 REPLIES 6
Highlighted
marce1000
VIP Engager VIP Engager
VIP Engager
‎02-26-2020 12:35 AM
‎02-26-2020 12:35 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

 

 - Basically not as the below thread will confirm : MS-AD is indeed not a good solution for DHCP, better is to look into appliances such as infoblox or others. These can offer extended and flexible configuration for lots of vlan's and subnets.

     https://community.cisco.com/t5/network-access-control/ise-with-dhcp-server/td-p/3540467

 M.

0 Helpful
Reply
Highlighted
damode
Beginner
Beginner
‎02-26-2020 12:40 AM
‎02-26-2020 12:40 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

They are already using MS-AD now for DHCP.

The question is whether we can use ISE as DHCP and DNS server for handling wireless guest connections.
0 Helpful
Reply
Highlighted
marce1000
VIP Engager VIP Engager
VIP Engager
‎02-26-2020 12:48 AM
‎02-26-2020 12:48 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

 

 - Negative 

    M.

0 Helpful
Reply
Highlighted
damode
Beginner
Beginner
‎02-26-2020 02:15 AM
‎02-26-2020 02:15 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

can you please explain why ?
Also, please recommend an alternative way we can achieve this ?
0 Helpful
Reply
Highlighted
Arne Bier
VIP Advocate VIP Advocate
VIP Advocate
‎02-26-2020 02:26 AM
‎02-26-2020 02:26 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

Hi @damode 

 

it’s a great question and it’s probably not the use case that Cisco intended. But there is no reason why it should not work. 

i have always wanted to test this in my lab but never got around to it. I don’t know if the ISE PSN would Hand out the DNS server to the client. That would be a show stopper if it didn’t. Do you have the opportunity to try this in a lab environment?The function of a single DHCP service should not pose a problem to even a simple Linux daemon. You’re probably not concerned with lease database survivability or complex options?

I would however think this is not in your best interest because there is no way to monitor the scope usage etc or to manage the leases. I’d say look elsewhere. 

0 Helpful
Reply
Highlighted
howon
Cisco Employee
Cisco Employee
‎02-26-2020 09:01 AM
‎02-26-2020 09:01 AM

Re: Can we use ISE as DHCP/DNS server to prevent guest traffic using internal DHCP/DNS servers ?

ISE will always return itself as DNS and it is not a configurable parameter.

This is not intended as production DHCP, rather it was just meant to provide DHCP during AUTH state to address the lack of URL-Redirect feature on certain NADs. I understand the OP's desire to utilize ISE for DHCP server for other purpose, but recommend using the router/switch or a purpose built DHCP server.

View solution in original post

0 Helpful
Reply
Latest Contents
AMP4E - Cisco Threat Response and ESA Integration
Created by bremarqu on 05-27-2020 09:16 AM
0
0
0
0
Hello, This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.   This is live on the portal:https://video.cisco.com/video/6159336218001   And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg   ... view more
Migrate from C170 to C190
Created by fhk_license on 05-26-2020 02:24 AM
3
0
3
0
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
DGTL-BRKSEC-1011 - A Challenger Appears: Defending Mailboxes...
Created by chclasen on 05-20-2020 09:43 AM
0
0
0
0
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense. Join Techn... view more
ASA Image won't stay
Created by Senbonzakura on 05-19-2020 12:19 PM
3
0
3
0
I've fixed this before but now I'm running into a different type of an issue. My firewall isn't booting to the image so I have to keep reloading the image onto the ASA. Any help would be appreciated. Also my Config-Register is set to 0x1. As of right now,... view more
#CiscoChat Live - SMBs and CyberSecurity: Busting Traditiona...
Created by Kelli Glass on 05-18-2020 02:05 PM
0
0
0
0
Join us live on Tuesday, May 19th at 10 am PT (and on demand after) as we officially bust the myths around SMBs and cybersecurity. Join our experts for a live Cisco Chat - we'll share some fascinating survey results, and outline key factors for a suc... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels