Solved: Re: ISE with Multiple Interfaces

scottbreslin · ‎08-06-2017

Hi,

I have a requirement to deploy an ISE appliance into a customer environment where the management network is separate from the data network.

I understand that GEth0 is dedicated for management access to ISE so, I can assign an IP address to this interface form the management network.

What I don't understand is how I configure Geth1 for authentication traffic such as radius requests.

After I have assigned an IP address to GEth1 from the data facing network how do I tell ISE to use this interface for authentication requests?

Unless I have missed something this does not seem to be documented.

Thanks

Scott

jrabinow · ‎08-06-2017

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE

View solution in original post

jrabinow · ‎08-06-2017

There is configuration on the network devices that defines the IP address to use for AAA. Configure devices to send authentication traffic to GEth1 on ISE

chatataridge · ‎08-07-2017

Scott,

Based on the three bullet points under the Cisco ISE Infrastructure heading (see link below), ISE listens for RADIUS request on all NIC's so no additional configuration is needed. My guess on how to read the chart is that if the service is listed across both columns then the service is active on all NIC;'s. I have not used different NIC's for Admin and RADIUS but have used other NIC's for guest portals.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_appendix_0110.html

Len

laurathaqi · ‎01-19-2021

Hi Chatataridge,

Have u used Different NIC for Wired Portal traffic or Wireless? If yes, can you please share steps u did to do so. I want to use different NIC (ex: NIC3) for Wired CWA(Guest traffic).

NIC1 + NIC2 Bundle for high availability for Management Traffic,

NIC3 + NIC4 Bundle for High availability for CWA VLAN traffic to Internet. This for Guest

NIC5 + NIC6 Bundle for High Availability for RADIUS Internal Access for Endpoints.

Any suggestions!?

Thank you,

L

Marcelo Morais · ‎01-23-2021

Hi @laurathaqi ,

first of all:

. ISE Management is restricted to Gigabit Ethernet 0 (Eth0)

. Eth0, Eth2 and Eth4 must be assigned an IPv4 (or IPv6) address.

. Eth1, Eth3 and Eth5 must not be assigned an IP address.

. RADIUS listens on all NICs

Second:

. configure Bond0 (Eth0+Eth1) for ISE Management.

ise/admin(config)# interface GigabitEthernet 0 
ise/admin(config-GigabitEthernet)# backup interface GigabitEthernet 1

. configure the Guest Portals to point to Bond1 (Eth2+Eth3)

In Work Centers > Guest Access > Portal & Components > Guest Portal ... select Portal Settings > choose Bond1.

. configure the NADs to send the RADIUS packets to Bond2 (Eth4+Eth5)

Hope this helps !!!

laurathaqi · ‎01-23-2021

Hi,

This is the information I have been after, so many many thanks.

Best,

Laura

Jonathan Schultz · ‎10-12-2022

When attempting to use a separate interface for management (behind a FW), how does one manipulate routing as the mgmt interface does not have its own VRF to my knowledge.

ahollifield · ‎10-12-2022

So you do mean gig0 on ISE? Or the CIMC port on appliance? The CIMC interface its completely out of band and has its own routing table. All other ISE interfaces share the same routing table and you manipulate routing using static routes.

Jonathan Schultz · ‎10-12-2022

Basic routing. Management (Gig0) used for mgmt. access (own routing table). Gig1 used for policy enforcement. (Radius, Tacacs, 802.1x, portal, etc)

ahollifield · ‎10-12-2022

That’s not how ISE works, all interfaces will respond to RADIUS/TACACS+ (unless controlled by upstream firewall or ACL). Gig0 isn’t a dedicated management port. What is your use-case for this?

Jonathan Schultz · ‎10-12-2022

Not give my end users, specifically Sponsored Guests access to the Mgmt plane

ahollifield · ‎10-13-2022

There isn't a concept of a "management plane" in ISE. Sponsor Groups would cover your need for RBAC of certain guest types. If I am understanding your requirement.