Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11211
Views
10
Helpful
11
Replies

ISE with Multiple Interfaces

Go to solution
scottbreslin
Beginner
Beginner

‎08-06-2017 02:14 PM - edited ‎03-11-2019 12:55 AM

Hi,

I have a requirement to deploy an ISE appliance into a customer environment where the management network is separate from the data network.

I understand that GEth0 is dedicated for management access to ISE so, I can assign an IP address to this interface form the management network.

What I don't understand is how I configure Geth1 for authentication traffic such as radius requests.

After I have assigned an IP address to GEth1 from the data facing network how do I tell ISE to use this interface for authentication requests?

Unless I have missed something this does not seem to be documented.

Thanks

Scott    

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Rising star
Rising star

‎08-06-2017 03:52 PM

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE

View solution in original post

0 Helpful
11 Replies 11

Go to solution
jrabinow
Rising star
Rising star

‎08-06-2017 03:52 PM

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE

0 Helpful

Go to solution
chatataridge
Beginner
Beginner

‎08-07-2017 08:50 AM

Scott,

Based on the three bullet points under the Cisco ISE Infrastructure heading (see link below), ISE listens for RADIUS request on all NIC's so no additional configuration is needed.  My guess on how to read the chart is that if the service is listed across both columns then the service is active on all NIC;'s.    I have not used different NIC's for Admin and RADIUS but have used other NIC's for guest portals.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_appendix_0110.html

Len

0 Helpful

Go to solution
laurathaqi
Participant
Participant
In response to chatataridge

‎01-19-2021 02:46 AM

Hi Chatataridge

Have u used Different NIC for Wired Portal traffic or Wireless? If yes, can you please share steps u did to do so. I want to use different NIC (ex: NIC3) for Wired CWA(Guest traffic). 

NIC1 + NIC2 Bundle for high availability for Management Traffic, 

NIC3 + NIC4 Bundle for High availability for CWA VLAN traffic to Internet. This for Guest

NIC5 + NIC6 Bundle for High Availability for RADIUS Internal Access for Endpoints. 

 

Any suggestions!?

 

Thank you,

L

0 Helpful

Go to solution
Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor
In response to laurathaqi

‎01-23-2021 11:47 AM

Hi @laurathaqi ,

 first of all:

ISE Management is restricted to Gigabit Ethernet 0 (Eth0)

. Eth0, Eth2 and Eth4 must be assigned an IPv4 (or IPv6) address.

. Eth1, Eth3 and Eth5 must not be assigned an IP address.

RADIUS listens on all NICs

 

 Second:

. configure Bond0 (Eth0+Eth1) for ISE Management.

ise/admin(config)# interface GigabitEthernet 0 
ise/admin(config-GigabitEthernet)# backup interface GigabitEthernet 1

. configure the Guest Portals to point to Bond1 (Eth2+Eth3)

In Work Centers > Guest Access > Portal & Components > Guest Portal ... select Portal Settings > choose Bond1.

. configure the NADs to send the RADIUS packets to Bond2 (Eth4+Eth5)

 

Hope this helps !!!

Go to solution
laurathaqi
Participant
Participant
In response to Marcelo Morais

‎01-23-2021 12:51 PM

Hi, 

 

This is the information I have been after, so many many thanks. 

 

Best,

Laura

Go to solution
Jonathan Schultz
Beginner
Beginner

‎10-12-2022 10:55 AM

When attempting to use a separate interface for management (behind a FW), how does one manipulate routing as the mgmt interface does not have its own VRF to my knowledge.

0 Helpful

Go to solution
ahollifield
VIP Collaborator VIP Collaborator
VIP Collaborator
In response to Jonathan Schultz

‎10-12-2022 12:15 PM

So you do mean gig0 on ISE?  Or the CIMC port on appliance?  The CIMC interface its completely out of band and has its own routing table.  All other ISE interfaces share the same routing table and you manipulate routing using static routes.

0 Helpful

Go to solution
Jonathan Schultz
Beginner
Beginner
In response to ahollifield

‎10-12-2022 01:26 PM

Basic routing. Management (Gig0) used for mgmt. access (own routing table). Gig1 used for policy enforcement. (Radius, Tacacs, 802.1x, portal, etc)
0 Helpful

Go to solution
ahollifield
VIP Collaborator VIP Collaborator
VIP Collaborator
In response to Jonathan Schultz

‎10-12-2022 01:30 PM

That’s not how ISE works, all interfaces will respond to RADIUS/TACACS+ (unless controlled by upstream firewall or ACL). Gig0 isn’t a dedicated management port. What is your use-case for this?
0 Helpful

Go to solution
Jonathan Schultz
Beginner
Beginner
In response to ahollifield

‎10-12-2022 01:39 PM

Not give my end users, specifically Sponsored Guests access to the Mgmt plane
0 Helpful

Go to solution
ahollifield
VIP Collaborator VIP Collaborator
VIP Collaborator
In response to Jonathan Schultz

‎10-13-2022 04:34 AM

There isn't a concept of a "management plane" in ISE.  Sponsor Groups would cover your need for RBAC of certain guest types.  If I am understanding your requirement.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents