Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5463
Views
0
Helpful
4
Replies

ISE Network Interfaces

desweiler
Level 1
Level 1

‎07-17-2014 01:00 AM - edited ‎03-10-2019 09:52 PM

Hello,

we have placed the ISE in a DMZ. The NIC 0 is used for Administration of the ISE.

The Switches send their RADIUS requests to the ISE via an out-of-band-management network which is connected to the DMZ though a Firewall.

What if I want to use CWA. I understand that the Guest/Sponsor Portal needs to be reachable via the Clients Network. I can use a dedicated NIC on the ISE for this connection. So GIG0 is mgmt (in DMZ) and GIG1 is Guest/Sponsor-Portal (not in DMZ).

What about security? Does the ISE route between the connected NICs? If it does, can I put a Firewall between the Client Network and the Guest-Portal NIC?

What is best Practise here?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎07-17-2014 05:55 PM

Good question! I would like to know the answer to as well!

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to nspasov

‎07-21-2014 06:48 PM

The ISE interfaces do not and should not route between it's interfaces. They have to exist on separate layer 3 networks and you can add routes on the cli if the clients exist multiple hops away from the interface itself.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html#81419

0 Helpful

Ryan Coombs
Level 1
Level 1

‎07-18-2014 09:01 AM

My situation is similar however the opposite.  We have ISE in our Enterprise MNGT zone (not in DMZ). NIC0 for mngt and accessible for us to manage from inside our network. For the guests using CWA we've created a VRF for Guest-Users to route to ISE but using NIC3 only which resides in our DMZ and blocks access to our regulatory network. This is required because the client needs to reach ISE on "nic3" for it to present the Guest Portal (Layer3).  Also the client will need to receive a DHCP address beforehand to speak with ISE on its nic3, so we also have a DHCP server hanging off the guest VRF along with a interface on our WLC. The WLC on the DMZ is configured as an anchor controller and there is no need to poke any holes in our firewall.  To sum it up, we use NIC0 for mngt & radius requests but after the client connects to our WLC (Guest-WiFi) the controller talks to ISE layer2 via NIC0, after MAB is performed (mac filtering on the WLC) its get a permit back allowing the client to recieve DHCP and DNS, then after a web page is attempted our redirect ACL on the WLC sends the client to ISE NIC3 which hosts our Guest Portal.  So at no time do they touch our inside network.

We are running ISE 1.2 patch 8 for your reference.  Hopefully that helps some.  I'm still learning one phase at a time.

0 Helpful

abwahid
Level 4
Level 4

‎08-05-2014 06:15 AM

Hi,

Yes, ISE cannot perform routing between its interfaces, and the document link which Tarik shared, it is detailed installation guide, plz go through, it will definitely help you out.

 

Thanks.

 

 

0 Helpful
Customers Also Viewed These Support Documents