Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
4
Replies

ISE Device Administration Service

Go to solution
jordi.cano
Level 1
Level 1

‎08-11-2017 01:28 AM

Hello team,

On CISCo ISE:

Is it a best practice to use the interface Giga eth0 (dedicated to management) as a port for Device Administration Service to manage administrative access for Cisco IOS based network devices (AAA, TACACS or RADIUS)?


I have Cisco ISE HA in Small Deployment Network (with two node of ISE)


Best regards

Jordi

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎08-11-2017 02:13 PM

I use a single interface on all my ISE nodes except in the case where I need a Guest portal running in a DMZ.  Keep things simple and use a single interface.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
keglass
Level 7
Level 7

‎08-11-2017 01:23 PM

Hello,

I am moving your post to the Security ISE community for better visibility and access to information.

Identity Services Engine (ISE)

Thank you for participating in the community.

Kelli Glass

Moderator for Cisco Customer Communities

0 Helpful

Go to solution
paul
Level 10
Level 10

‎08-11-2017 02:13 PM

I use a single interface on all my ISE nodes except in the case where I need a Guest portal running in a DMZ.  Keep things simple and use a single interface.

0 Helpful

Go to solution
jordi.cano
Level 1
Level 1

‎08-14-2017 04:31 AM

Hi,

I totally agree to seek simplicity, that is the reason for my question.

Keep in mind that the AAA traffic is located in an Out-of-band network of an extensive network.

The two options I have are:

1- AAA traffic of any equipment to the ISE Management Port (same network)

2- AAA TRAFFIC of any equipment to the service port of the ISE (NAT or a New VRFfor example).

Which of the two options is most appropriate?

Best regards

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to jordi.cano

‎08-14-2017 05:16 AM

Ahh the fact that you are doing OOB management is an important piece of information not in the original post. 

So assuming your ISE nodes are in the normal production network as you said you have two options:

1) You can take a 2nd interface off your ISE nodes and put them into the OOB network.

2) Allow traffic from the OOB to the normal production network for TACACS purposes only.

If there is already some mechanism in place to leak traffic from the OOB network to the production network then I would probably go #2, but if not #1 would work fine as well.

0 Helpful
Customers Also Viewed These Support Documents