Solved: Re: ISE and GUEST network subnet overlap

alezabela · ‎01-20-2020

Hi guys, have some questions before real ISE implementation. The Company has multiple remote sites connected over DMVPN and EIGRP. All remote sites have a standardized guest network with same subnet everywhere, i.e. GUEST network is 172.16.1.0/24 This network is not participating in EIGRP, so basically this network works as a local and cannot be reached from DC to the client i.e. 172.16.1.1 The Company would like to run ISE as a sponsored guest portal but faces subnet overlap and non-routable network, i.e. ISE is running in the DC and ISE appliance cannot reach 172.16.1.0/24 network but 172.16.1.0/24 network can reach ISE (i.e. allowing traffic by firewall rules) Is there any solution on how to implement ISE in such a case? Thanks

Greg Gibbs · ‎01-20-2020

There are some options here depending on whether you're talking about Wired or Wireless Guest, where the NADs (switches/WLCs) are located, etc.

NAT is not supported for the RADIUS traffic from the NADs to the WLCs, but NAT should not affect traffic from the client subnet to the PSN as long as the routing is there and the clients can resolve the PSNs via DNS.

You could also look at distributed PSNs at the remote sites (if the sites have local AD/DNS services) or using dual interfaces on the PSNs in the DC with one interface connected to a DMZ or other external zone for user-facing portals.

I would suggest having a look at the Load Balancing RADIUS and Load Balancing Web Services section in the following CiscoLive session reference deck to understand the flows better. You will likely need to map out your end to end flows in detail to understand them step-by-step and identify any issues.

Cisco Live 2018 Orlando: Designing ISE for Scale & High Availability - BRKSEC-3699

Cheers,

Greg

View solution in original post

Muhammad Awais Khan · ‎01-20-2020

Hi,

NAT from each branch can make 802.1x authentication work but NAT would create problems with features like CoA and profiling and CoA would be required for Guest-web redirection.

First of all, with bidir NAT, can you make reachability between ISE and client ?

Greg Gibbs · ‎01-20-2020

There are some options here depending on whether you're talking about Wired or Wireless Guest, where the NADs (switches/WLCs) are located, etc.

NAT is not supported for the RADIUS traffic from the NADs to the WLCs, but NAT should not affect traffic from the client subnet to the PSN as long as the routing is there and the clients can resolve the PSNs via DNS.

You could also look at distributed PSNs at the remote sites (if the sites have local AD/DNS services) or using dual interfaces on the PSNs in the DC with one interface connected to a DMZ or other external zone for user-facing portals.

I would suggest having a look at the Load Balancing RADIUS and Load Balancing Web Services section in the following CiscoLive session reference deck to understand the flows better. You will likely need to map out your end to end flows in detail to understand them step-by-step and identify any issues.

Cisco Live 2018 Orlando: Designing ISE for Scale & High Availability - BRKSEC-3699

Cheers,

Greg

alezabela · ‎01-20-2020

Hi,

each remote site has own WLC controller installed.
I think that there is an option to use the WLC Mobility feature but for this kind of solution, I will need to install WLC in DC.

Jurgens L · ‎01-21-2020

Correct, you will need an Anchor WLC that would sit behind your firewall in a DMZ. The problem with the mobility tunnels over your WAN is that they can impact WAN utilization and the additional hardware and setup cost of the Anchor WLC.

Another option to consider is to use a routable "onboarding subnet" for each site. This VLAN will allow Guests to get access only to the ISE sponsored guest portal, once authenticated successfully the ISE can but the client back into your existing non-routeable Guest VLAN.