cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

244
Views
0
Helpful
3
Replies
Highlighted
Beginner

ISE Server - multiple networks query

Hi guys

We are planning to deploy a Cisco ISE server to manage NAC for 300 users (Windows, WYSE, Avaya phones and HP printers). DHCP is running on the DC and the ISE interface has Layer 2 visibility of the whole network segment its managing.

We have just received an additional requirement for a dedicated/completely segregated switch VLAN which provides unrestricted Internet access. It would be connected to a third party Internet-facing router allowing connections directly on to the internet. Effectively, its a completely segregated network of a single VLAN and Internet access.

 

Would it be possible to manage port-security for this VLAN from the ISE server? If so, would the ISE server need an additional NIC configured in the subnet of the Internet VLAN?

Basically, i'm wondering if a single ISE server can be used to manage 2 completely independent networks. The internet network would not use AD authentication and access would have to be granted manually on a case by case basis.

Many thanks

M

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Rising star

Just to clarify, ISE does NOT

Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.

As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.

View solution in original post

Highlighted
Beginner

Indeed, just want to add two

Indeed, just want to add two remarks:

The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement

Second: if you want to use a ISE guest portal to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Just to clarify - the

Just to clarify - the Internet VLAN will be defined on teh same switches as the main network.

Highlighted
Rising star

Just to clarify, ISE does NOT

Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.

As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.

View solution in original post

Highlighted
Beginner

Indeed, just want to add two

Indeed, just want to add two remarks:

The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement

Second: if you want to use a ISE guest portal to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.

View solution in original post