ISE virtual appliance ETH1

adamgibs7 · ‎06-12-2018

Dears,

I have installed ISE 2.2 on UCS chassis and fabric Interconnect and it is working fine, the setup was done with one ETH0 and on this interface everything is flowing, now we are planning to use OOB management for all the devices ( switches, routers, UCS, ASA ... ) and now my plan is to authenticate these OOB network devices by Tacacs traffic on ISE , so for that reason I need to add a ETH 1 interface on the ISE virtual appliance so that it can authenticate and authorize the user ssh traffic to the switches and routers and ASA.

I don't know how I can do that and it is possible or not becz by ISE I am using DOT1x, posture, profiling, BYOD, anyconnect vpn authentication all these are reachable via a ip source radius-interface Vlan X command on the NAD which is from the INBAND network and if I setup a OOB how the reachability will be done also how the NAD will be added in the ISE by 2 no's of IP address and also how I can add a additional NIC ETH1 on the virtual appliance,

All the above queries are killing me to setup the ISE in the OOB management network.

thanks

Arne Bier · ‎06-12-2018

You have to shut the VM down cleanly (application stop ise, followed by halt) and then add in another VMXNET3 network interface in the correct VLAN/Port Group (I assume you're using VMWare?). When you boot up the ISE VM again the OS will detect the second interface and you'll see a gig1 interface in your show run. You then configure IPv4 or IPv6 and that will cause an application restart.

NB: Your ISE node SSH/WEB access is always via Eth0 (this is a firewall rule on ISE that you cannot change)

With gig1 up and running, Radius and TACACS+ Service will run on all interfaces now (you can't be selective about that).

You can be selective about which interface to run your Guest/BYO Portals on though (e.g. only on gig1).

adamgibs7 · ‎06-16-2018

thanks for the reply,

so on the switches I will have 2 sources interfaces,, one for radius I will have a inband Vlan interface and for the tacacs I will have OOB interface MGMT, But on the ISE when adding a NAD devices I shld add an INBAND interface rather than an outband becz I don't have an option of adding multiple interfaces ??? please correct me If I m wrong,

so the tacacs traffic will flow as follows

User's ssh to the switch MGMT interface (OOB) from the MGMT PC (OOB)
User enters his username and password and it is trying to authenticate on the ISE but when the NAD send the authentication traffic with the MGMT interface which is used ip tacacs source interface command when it reaches to the ISE , ISE will drop the packet becz ISE doesn't have such MGMT interface NAD in his device list.

Please correct me if I m wrong and give me suggestion.

thanks

Arne Bier · ‎06-17-2018

I have it on good authority that if Radius and TACACS are enabled on a mult-interface PSN, then the PSN will listen to UDP/1812&1813 and TCP/49 on ALL interfaces. So you just make sure the traffic routes to the correct ISE interface, and then also ensure that you have a 2nd default gateway on that PSN. Yes - you heard right - 2nd default gateway. It's how this thing works. If the packet arrives on gig1 and needs to route to an "unknown" network, then ISE is smart enough to know that packet came in on gig1, and therefore it uses the default gateway associated with gig1.

So the ISE default gateway for gig0 looks like this (e.g. gig0 is 10.0.0.1/24)

ip default-gateway 10.0.0.254

and the ISE default gateway for gig1 looks slightly different in syntax, but achieves the same thing (e.g. gig1 is 172.16.0.1/24)

ip route 0.0.0.0 0.0.0.0 gateway 172.16.0.254

adamgibs7 · ‎06-18-2018

Dear Arne,

what I was mentioning in my previous post was about the unknown NAD, Let me elaborate more the switches are added in the ISE by an inband ip address 172.24.1.1 and the tacacs authentication request will come from the MGMT interface 192.168.1.1, when the ISE receives the authentication request from an ip address 192.168.1.1 i.e MGMT interface then usually ISE will drop the request by displaying a log Unknown NAD

Please check the below link mentioning about unknown NAD.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_011000.html

Please correct me if I m wrong.

Regards

Arne Bier · ‎06-18-2018

You should be using the NAD's loopback interface as the source of all your management traffic. Loopbacks are designed for stuff like this. This means that no matter which outgoing interface is used to perform the Radius/TACACS/SNMP traffic, the source IP address of the loopback interface is used, and NOT the source IP of the outgoing NAD interface.

Then you can have one Network Device definition in ISE using the loopback IP address.

In other more complex cases some customers need to SNAT (Source NAT) their traffic to normalise the source IP address. E.g. imagine thousands of switches from thousands of subnets, all source NAT'd to one IP address. The end result is 1 NAD definition in ISE. This only works in cases where you don't need to initiate traffic from NAD to those thousands of devices (e.g. CoA).

If your NAD doesn't support loopback interfaces, then you could try adding in the NAD twice (once with each unique IP address)

adamgibs7 · ‎06-19-2018

Thanks Arne

+5 to you, will execute any one of the solution and reply to the post.

thanks