04-27-2016 01:57 AM - edited 03-10-2019 11:42 PM
Hi guys
We are planning to deploy a Cisco ISE server to manage NAC for 300 users (Windows, WYSE, Avaya phones and HP printers). DHCP is running on the DC and the ISE interface has Layer 2 visibility of the whole network segment its managing.
We have just received an additional requirement for a dedicated/completely segregated switch VLAN which provides unrestricted Internet access. It would be connected to a third party Internet-facing router allowing connections directly on to the internet. Effectively, its a completely segregated network of a single VLAN and Internet access.
Would it be possible to manage port-security for this VLAN from the ISE server? If so, would the ISE server need an additional NIC configured in the subnet of the Internet VLAN?
Basically, i'm wondering if a single ISE server can be used to manage 2 completely independent networks. The internet network would not use AD authentication and access would have to be granted manually on a case by case basis.
Many thanks
M
Solved! Go to Solution.
04-27-2016 01:23 PM
Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.
As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.
04-27-2016 01:43 PM
Indeed, just want to add two remarks:
The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement
Second: if you want to use a ISE guest portal to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.
04-27-2016 02:09 AM
Just to clarify - the Internet VLAN will be defined on teh same switches as the main network.
04-27-2016 01:23 PM
Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.
As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.
04-27-2016 01:43 PM
Indeed, just want to add two remarks:
The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement
Second: if you want to use a ISE guest portal to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide