Showing results for 
Search instead for 
Did you mean: 

ISE with Multiple Interfaces



I have a requirement to deploy an ISE appliance into a customer environment where the management network is separate from the data network.

I understand that GEth0 is dedicated for management access to ISE so, I can assign an IP address to this interface form the management network.

What I don't understand is how I configure Geth1 for authentication traffic such as radius requests.

After I have assigned an IP address to GEth1 from the data facing network how do I tell ISE to use this interface for authentication requests?

Unless I have missed something this does not seem to be documented.



1 Accepted Solution

Accepted Solutions

Rising star
Rising star

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE

View solution in original post

11 Replies 11

Rising star
Rising star

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE



Based on the three bullet points under the Cisco ISE Infrastructure heading (see link below), ISE listens for RADIUS request on all NIC's so no additional configuration is needed.  My guess on how to read the chart is that if the service is listed across both columns then the service is active on all NIC;'s.    I have not used different NIC's for Admin and RADIUS but have used other NIC's for guest portals.


Hi Chatataridge

Have u used Different NIC for Wired Portal traffic or Wireless? If yes, can you please share steps u did to do so. I want to use different NIC (ex: NIC3) for Wired CWA(Guest traffic). 

NIC1 + NIC2 Bundle for high availability for Management Traffic, 

NIC3 + NIC4 Bundle for High availability for CWA VLAN traffic to Internet. This for Guest

NIC5 + NIC6 Bundle for High Availability for RADIUS Internal Access for Endpoints. 


Any suggestions!?


Thank you,


Hi @laurathaqi ,

 first of all:

ISE Management is restricted to Gigabit Ethernet 0 (Eth0)

. Eth0, Eth2 and Eth4 must be assigned an IPv4 (or IPv6) address.

. Eth1, Eth3 and Eth5 must not be assigned an IP address.

RADIUS listens on all NICs



. configure Bond0 (Eth0+Eth1) for ISE Management.

ise/admin(config)# interface GigabitEthernet 0 
ise/admin(config-GigabitEthernet)# backup interface GigabitEthernet 1

. configure the Guest Portals to point to Bond1 (Eth2+Eth3)

In Work Centers > Guest Access > Portal & Components > Guest Portal ... select Portal Settings > choose Bond1.

. configure the NADs to send the RADIUS packets to Bond2 (Eth4+Eth5)


Hope this helps !!!



This is the information I have been after, so many many thanks. 




Jonathan Schultz

When attempting to use a separate interface for management (behind a FW), how does one manipulate routing as the mgmt interface does not have its own VRF to my knowledge.

So you do mean gig0 on ISE?  Or the CIMC port on appliance?  The CIMC interface its completely out of band and has its own routing table.  All other ISE interfaces share the same routing table and you manipulate routing using static routes.

Basic routing. Management (Gig0) used for mgmt. access (own routing table). Gig1 used for policy enforcement. (Radius, Tacacs, 802.1x, portal, etc)

That’s not how ISE works, all interfaces will respond to RADIUS/TACACS+ (unless controlled by upstream firewall or ACL). Gig0 isn’t a dedicated management port. What is your use-case for this?

Not give my end users, specifically Sponsored Guests access to the Mgmt plane

There isn't a concept of a "management plane" in ISE.  Sponsor Groups would cover your need for RBAC of certain guest types.  If I am understanding your requirement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers