Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1405
Views
0
Helpful
1
Replies

ISE - interface aware TACACS / NAD definitions with overlapping IPs - feature request ?

Go to solution
Przemyslaw Konitz
Level 1
Level 1

‎05-14-2020 10:51 AM

hi All,

just wanted to ask if thats possible (I think not) or if they are any plans on roadmap to implement the following feature.

 

I'd like to reuse my existing ISE deployment for different network segments which can have overlapping networks.

Anyway I need to distinguish NADs somehow and thats the first obstacle - ISE doesn't allow overlapping ones

If we could just add one differentiator to such definition

aka

VRF / interface ...

 

what do you think?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-14-2020 04:01 PM

Hello

 

This would require ISE to become VRF aware, because at the simple L3 level (UDP/TCP) without that knowledge, how would ISE know how to return the UDP traffic (i.e. if it has to send a UDP packet to 10.10.10.10 ... all ISE knows is to use the IPv4 stack and send the packet on its way). But if you have overlapping IPv4 subnets then ISE will need to have that routing intelligence.

I won't say "never" - but I think unless that Layer 3 IP routing issue is not resolved, then this problem applies to any RADIUS vendor. ISE has multiple interfaces - but at the Linux level, they all find their way to a single IPv4 stack.

Obvious solution would be to deploy one ISE deployment per "customer/overlap"

IPv6 is perhaps an alternative solution :-)

 

You can send feature requests to this link.

 

regards

Arne 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎05-14-2020 04:01 PM

Hello

 

This would require ISE to become VRF aware, because at the simple L3 level (UDP/TCP) without that knowledge, how would ISE know how to return the UDP traffic (i.e. if it has to send a UDP packet to 10.10.10.10 ... all ISE knows is to use the IPv4 stack and send the packet on its way). But if you have overlapping IPv4 subnets then ISE will need to have that routing intelligence.

I won't say "never" - but I think unless that Layer 3 IP routing issue is not resolved, then this problem applies to any RADIUS vendor. ISE has multiple interfaces - but at the Linux level, they all find their way to a single IPv4 stack.

Obvious solution would be to deploy one ISE deployment per "customer/overlap"

IPv6 is perhaps an alternative solution :-)

 

You can send feature requests to this link.

 

regards

Arne 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents