Hi Francesco, 

I wanted to also try using other interfaces for data traffic meanwhile letting gig0 for management only, but I am not able to find guides on the required configuration steps. 

Can u please help me find a guide on how to configure other interfaces other than gig0 to handle data traffic such as wired data traffic or wireless guest traffic, meanwhile leaving gig0 only for management traffic? 

I don't think the official guide explains it as a straight forward UseCase and all tutorials I have seen use Gig0 only.  

You advice would be highly appreciated. 

Best,

L

Hi

Other interfaces are configured on the CLI. Connect to ssh on your ISE, then go to conf t and under interface configuration using commands interface gig1 for example. You can assign an ip address. Then on conf t mode (not under interface config), you can add a default route pointing towards the gateway of this new interface.

In conf t mode, you'll need to configure a fqdn that ise will send out when users reaching this interface for services using the command ip host.

Be careful, you can have 1 fqdn per interface ip and by default it must be different on all your nodes as you'll have a different IP per node per interface.

To simplify this, you can have an anycast architecture, so same ip and same fqdn on all nodes. Users will access the closest ise node based on the routing. 

What do you mean but 1 interface for wired, 1 for wireless? Usually, you have 1 interface for radius/tacacs authentication and 1 for portals. At least, this is the way i deploy them.

Not found a clear documentation, showing all this in 1 global doc. However if you search piece by piece, you'll have multiple documentation explaining each part separately.

Hi Francesco, 

Thank you for the information provided. Much appreciated. 

Based on your information I am assuming the following:

Two ISE ports are connected to Switch that leads towards Internet. One of them, holding management traffic and Radius/TACACS+, meanwhile the other holding portals traffic. 

For the Management, Radius/TACACS+ traffic, its the default port of Gig0 that we configure during the base setup. 

Meanwhile for the Portals Interface, we check the port in the portals modification when we setup the portals, and that is when the portals traffic gets passed through that traffic. 

Now, I am not sure I have seen how to add an FQDN to an interface somewhere so far, but I will be after that today. If you have something, please share that with me.  

If you are a blogger and have something similar posted somewhere, I would be highly interested to read that. 

Thank you and best wishes, 

L

As @Francesco Molino mentioned, you need to create an FQDN alias using the 'ip host' command on the ISE node when using a separate interface for guest portal traffic. The FQDN configured is then the one that is presented to the client in the URL redirect sent by the PSN that handles the initial RADIUS session.

The syntax is as follows. A unique FQDN must be used on each PSN and restarting the app server service will be required.

(config)# ip host <gig1_ip_address> <portal hostname|FQDN>

For more information on traffic flows and best practices, see the following Cisco Live presentation.

Advanced ISE Architect, Design and Scale ISE for your production networks - BRKSEC-3432 

Hi Greg, 

Thank you. Information provided is much appreciated. 

Best,

L 

Hi Francesco, 

Thank you. Information provided is much appreciated. 

Best,

L