Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4846
Views
0
Helpful
5
Replies

Cisco ISE with multiple Network interface

kmittal
Cisco Employee
Cisco Employee

‎09-27-2013 03:15 PM - edited ‎03-10-2019 08:56 PM

Hello,

I am deploying Cisco ISE 1.2 in a distributed deployment and the requirement is to use external Radius proxy feature. ISE PSNs are designed to have 2 L3 NIC's, Eth0 for administration and Eth1 as client side facing NIC for Radius requests. I am interested to know would Cisco ISE in version 1.2 use Eth1 interface to send RADIUS  authentication request to external RADIUS Proxy server.

Could not find above information in Cisco SNS-3400 Series Appliance Ports Reference.

http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html

Thanks

Kumar

Labels:
0 Helpful
5 Replies 5

Ahmad Murad
Level 1
Level 1

‎09-28-2013 08:39 AM

Hi Kumar,

I believe you need to move the question to ACS/Identity and NAC section, it will be more accessible by the ISE experts.

Anyway, ISE can support External RADIUS server as External Identity source, and this can be done though any interface like the Gig0 which is MGMT one.

You can consider your server like the AD as example, and the ISE will use Gig0 for traffic forwarding to any other parties used on the configuration.

Please check this:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1098609

Thanks.

Ahmad.

0 Helpful

kmittal
Cisco Employee
Cisco Employee
In response to Ahmad Murad

‎09-28-2013 03:18 PM

Thanks Ahmad for the reply.

Cisco ISE uses standard RADIUS authentication and authorization port to send request to Exteranl RADIUS proxy. As per the interface/port refrence guide of version 1.2 this is listed that is causing a confusion :-



Eth0Eth1Eth2Eth3
Policy   Service nodeSession

•UDP:1645, 1812 (RADIUS Authentication)

•UDP:1646, 1813 (RADIUS Accounting)

•UDP: 1700 (RADIUS change of authorization Send)

•UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
External   Identity Stores
and Resources

•TCP: 389, 3268, UDP: 389 (LDAP)

•TCP: 445 (SMB)

•TCP: 88, UDP: 88 (KDC)

•TCP: 464 (KPASS)

•UDP: 123 (NTP)

•TCP: 53, UDP: 53 (DNS)

(Admin user interface authentication and endpoint authentication)



In external Identity Stores and Resources it says Eth0 is used for (Admin user interface authentication and endpoint authentication), where under sessions it lists that all ports can be used for RADIUS Authentication and Authorization.

I am not sure what I am missing to understand between the two if you can highlight that.

Thanks

Kumar

0 Helpful

kmittal
Cisco Employee
Cisco Employee
In response to kmittal

‎09-30-2013 12:08 AM

Hi Ahmed,

Did a TCP dump on eth1 interface and I could c the external radius proxy traffic being sent through Eth1 interface of ISE. It will put the complete setup and let you know the final results.

Thanks

Kumar

0 Helpful

Ahmad Murad
Level 1
Level 1
In response to kmittal

‎10-03-2013 06:29 AM

Hi Kumar,

Any update about your setup?

I'm asking because I need similar thing with different identity source and need to check if it is applicable or not.

Thanks.

Ahmad.

0 Helpful

kmittal
Cisco Employee
Cisco Employee
In response to Ahmad Murad

‎10-15-2013 12:23 AM

Hello Amjad,

For External Idenity sources Cisco ISE would use Eth0 as the default and only interface to communicate with them. But in case of exteranl RADIUS proxy request its not bounded to Eth0 interface and rather depends on the route on Cisco ISe.

Hope this answers the query

Thanks

Kumar

0 Helpful
Customers Also Viewed These Support Documents