Re: Cisco ISE Deployment in Azure - Nightmare experience! - Page 2

InfraISE2020 · ‎10-28-2024

Hi,

Has anyone been able to successfully deploy ISE in Azure using expressroute from on-premise to the cloud.

We have had ISE running in Azure for about 3-4 months now and have noticed a large amount of fragmentation using EAP-TLS.

The Cisco guide suggests a fix has been applied in East Asia and West Central US however it's not been applied to UK South where our VMs are located. We have also raised this with Microsoft support however they cannot tell us what fix this is or when it will be rolled out to our region.

We enquired about the "enable allow out-of-order-fragments" option however they said this could only be applied if the traffic is coming from the internet, not via expressroute or VPN which is obviously not going to work as we wouldn't send radius traffic straight over the internet! Other requirements include deploying VMs in a brand-new empty subscription and deploying to a Dv4 VM, again this is not possible as the VMs are already in use within an existing subscription.

It's incredibly frustrating as Cisco can't seem to provide much info on the workaround and Microsoft are just fobbing us off by saying that the information is from Cisco and not from them!

I'd be grateful if other members on this forum have successfully deployed ISE in Azure with connectivity via ER or VPN and not seen the fragmentation issues when using EAP-TLS.

TIA.

Damon Kalajzich · ‎03-20-2025

My MS case number is 2501270030001062 if you want to pass that on to your MS engineer so they can see it is still a option on their side, but I do note that my MS engineer did say he believed that the option is going to be phased out over time. As all their new VM SKU's with advanced networking don't support the option.

CitizenGenet · ‎03-21-2025

Thanks for providing that case number, Damon – that’s very helpful but it’s not inspiring reading some of the caveats involved in the answer you received from Microsoft.

Are you having success with your IPSEC idea? Is it working as expected and you’re getting consistent authentications?

Damon Kalajzich · ‎03-23-2025

we have the IPSEC solution working on 5 of our 7 9800 WLC's for some reason we have 2 9800 WLC where the IKE service is not starting, TAC investigating.
There are also some caveats with the ISE solution to be aware of. It requires a new Interface and IP on the ISE node to service the IPSEC and radius connection. G0 can't be used. The traffic selection on what to send via the IPSEC tunnel is done via a static route, so all communication from the ISE node to the NAD will be sent via the tunnel, even if you are hitting ISE via the original interface IP (non ipsec tunnel IP) so it all communication not just radius traffic. so if migrating radius also migrate tacacs and COA etc,

InfraISE2020 · ‎03-21-2025

I am in the same position as @CitizenGenet as we use Cisco Meraki for wireless and radius-dtls is not supported on Meraki and EAP-DTLS is not supported on Cisco ISE so were are pretty stuck at the moment. I think Cisco and Microsoft are aware of the issue and trying to resolve it but nothing seems close. One of the suggestions was to use FastPath over expressroute (additional cost) but that doesn't work with virtual WANs so thats not an option either.