04-06-2022 06:33 AM
Should I do any separate configuration for Tacacs+/Radius to work in a interface 2 of ISE. ISE Gb0 is used for management only.
I think by default Radius request is listened on all interfaces.
Should any configuration done to separate management and Tacacs+ traffic in separate interfaces.
Solved! Go to Solution.
04-06-2022 06:51 AM
Yes, and no. Check out this post to see why
04-07-2022 01:39 PM
I would think long and hard before adding another link into any ISE node. I guess it makes sense to restrict this to PSNs only since the PAN/MNT has no use for it at all.
I am not a friend of multiple interfaces on PSNs. For the following reasons:
Security by obscurity?
RADIUS, TACACS+, SSH, NTP, SNMP, SYSLOG etc are all management traffic - therefore, IMHO they belong on gig0. Even the good old Sponsor Portal should ride on gig0 - it's internal traffic.
As for the Guest Portal, this is where opinions are divided. I see most customers putting this on gig0 and then secure their intranet by making the pre-auth and post-auth ACLs VERY VERY tight. Down to the exact destinations for DNS servers, ISE TCP https ports. In fact, you could reduce the threat landscape by putting the guest portal FQDNs into the public DNS (most hosting providers will allow RFC1918 addresses in DNS records) and use a public DNS provider for your guest traffic (instead of pointing guests to your own infrastructure). As for attack vector, that leaves the TCP/8443 on the PSN (typical guest portal) - perhaps that is vulnerable to SYN attacks and cross site scripting? To my knowledge this has not been discussed on these forums. I guess in theory it's possible. It would be nice to know what protection ISE provides in those situations (pen testing results)
04-06-2022 06:51 AM
Yes, and no. Check out this post to see why
04-06-2022 09:19 PM
is there any specific configuration for this or just create two interfaces and assign IP addresses. In my case there are only 2 interfaces - one for MGMT and other for Radius/Tacacs
04-07-2022 12:41 AM
@manvik aside from assigning an IP address to the interface, you will need to define a static route on the PSNs - "ip route 0.0.0.0 0.0.0.0 x.x.x.x"
04-07-2022 01:39 PM
I would think long and hard before adding another link into any ISE node. I guess it makes sense to restrict this to PSNs only since the PAN/MNT has no use for it at all.
I am not a friend of multiple interfaces on PSNs. For the following reasons:
Security by obscurity?
RADIUS, TACACS+, SSH, NTP, SNMP, SYSLOG etc are all management traffic - therefore, IMHO they belong on gig0. Even the good old Sponsor Portal should ride on gig0 - it's internal traffic.
As for the Guest Portal, this is where opinions are divided. I see most customers putting this on gig0 and then secure their intranet by making the pre-auth and post-auth ACLs VERY VERY tight. Down to the exact destinations for DNS servers, ISE TCP https ports. In fact, you could reduce the threat landscape by putting the guest portal FQDNs into the public DNS (most hosting providers will allow RFC1918 addresses in DNS records) and use a public DNS provider for your guest traffic (instead of pointing guests to your own infrastructure). As for attack vector, that leaves the TCP/8443 on the PSN (typical guest portal) - perhaps that is vulnerable to SYN attacks and cross site scripting? To my knowledge this has not been discussed on these forums. I guess in theory it's possible. It would be nice to know what protection ISE provides in those situations (pen testing results)
04-08-2022 09:40 PM
Thank you @Arne Bier that was a detailed explanation. we just need separate interface for devices in two separate networks.
All the interfaces serve RADIUS/TACACS authentication.
Devices in Network 1 communicates with INT1
Devices in Network 2 communicates with INT2
04-12-2022 05:55 AM
where in ISE GUi can I give an IP address for interface 2, 3, 4. Can it be done only from CLI
04-12-2022 06:09 AM
This is done in CLI
04-12-2022 06:23 AM
thank you, any commands for that???
04-12-2022 06:56 AM
Similar to a switch. Use show run to get an idea.
All commands for ISE CLI are here: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/cli_guide/b_ise_cli_reference_guide_31/ise_cli_reference_guide_31_CLT_chapter.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide