07-26-2019 02:17 AM
Hi,
I have tried to use multi-interface for ISE Posture as below
G0 - admin
G1 - radius and posture
I found when AnyConnect agent reach the redirect URL https://G1_ip:8443/xxxxx, firewall log show reset by server side. Anyone have experiment on deploy multi-interface posture before and any limitation on it?
Thanks,
Alan
07-26-2019 05:20 AM
07-27-2019 04:48 PM
07-29-2019 11:12 AM
Hslai,
If you refer to the configuration example from Re: ISE CWA Using Non-Management Interface, I do it before on guest portal, however it require 1 policy per PSN, currently I have more than 5 PSN, I will tried as last resort.
With ip host ipv4-address host-alias command can ISE update the redirect URL from ise1.abc.com to ise-p.abc.com under below configuration
configure:
hostname ise1
domain-name abc.com
interface GigabitEthernet 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet 1
ip address 2.2.2.2 255.255.255.0
!
ip host 2.2.2.2 ise1-p
Alan
07-29-2019 10:52 AM - edited 07-29-2019 10:53 AM
Let me give me information on it. Currently is running on ISE 2.1, I am told to separate 2 interface to admin and RADIUS and posture.
First, I use ip host command to hard code all FQDN on ISE node to keep the replication, then I update the DNS record from G0 ip address to G1 ip address, so all posture redirect URL will point to G1 interface.
After the configuration, all the RADIUS authentication is working but only posture is failed, according to the firewall log, it is reset by ISE Server.
Around 15 mins later, I found all endpoint under context visibility is lost and realtime log also shows nothing. I tried to reboot all ISE server and do a full sync, however nothing help. So I have no other option other than fallback.
May be I will do a deep test after upgrade to ISE 2.4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide