Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
4
Replies

Multi-interface ISE Posture

apocalypse_nsl
Level 1
Level 1

‎07-26-2019 02:17 AM

Hi,

 

I have tried to use multi-interface for ISE Posture as below

 

G0 - admin

G1 - radius and posture

 

I found when AnyConnect agent reach the redirect URL https://G1_ip:8443/xxxxx, firewall log show reset by server side. Anyone have experiment on deploy multi-interface posture before and any limitation on it?

 

Thanks,

Alan

0 Helpful
4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-26-2019 05:20 AM

Have you tried to assign a static route for your interesting traffic that needs to be postured? Essentially point the route for your network to use that G1 gateway.
0 Helpful

apocalypse_nsl
Level 1
Level 1
In response to hslai

‎07-29-2019 11:12 AM

Hslai,

 

If you refer to the configuration example from Re: ISE CWA Using Non-Management Interface, I do it before on guest portal, however it require 1 policy per PSN, currently I have more than 5 PSN, I will tried as last resort.

 

With ip host ipv4-address host-alias command can ISE update the redirect URL from ise1.abc.com to ise-p.abc.com under below configuration

 

configure:

hostname ise1

domain-name abc.com

interface GigabitEthernet 0

 ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet 1

 ip address 2.2.2.2 255.255.255.0

!

ip host 2.2.2.2 ise1-p

 

Alan

0 Helpful

apocalypse_nsl
Level 1
Level 1

‎07-29-2019 10:52 AM - edited ‎07-29-2019 10:53 AM

Let me give me information on it. Currently is running on ISE 2.1, I am told to separate 2 interface to admin and RADIUS and posture.

 

First, I use ip host command to hard code all FQDN on ISE node to keep the replication, then I update the DNS record from G0 ip address to G1 ip address, so all posture redirect URL will point to G1 interface.

 

After the configuration, all the RADIUS authentication is working but only posture is failed, according to the firewall log, it is reset by ISE Server.

 

Around 15 mins later, I found all endpoint under context visibility is lost and realtime log also shows nothing. I tried to reboot all ISE server and do a full sync, however nothing help. So I have no other option other than fallback.

 

May be I will do a deep test after upgrade to ISE 2.4 

0 Helpful
Customers Also Viewed These Support Documents