Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
2
Helpful
6
Replies

Multiple interfaces on ISE for Radius/Guest portal

Go to solution
pontusd
Level 1
Level 1

‎05-25-2023 08:00 AM

Hi,
I have eth0 configured for Radius and eth1 configured for Guest Portal access. The defualt gateway is configured for the same subnet as eth0. Eth1 is configured with and IP in the Guest subnet and I have configured an ip route for this subnet. 
My problem is that I cant ping IP of eth1 from an Guest device (on the same subnet) but its no problem to ping from ISE to the same laptop. Does ISE block traffic on eth1 per default?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to pontusd

‎05-25-2023 09:27 AM

A bug search reveals this - CSCvz93230  Guest portal does not load if hosted on a different interface from Gig0 but it's apparently resolved in 2.7 p7 and related to accessing the portal, nothing mentioned about no ping response.

Perhaps log a call with TAC.

View solution in original post

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎05-25-2023 10:24 AM

Please check below pointer on ISE:

  • Are you able to reach the default gateway of eth1 from ISE?
  • "show interface" output from ISE. Check the status of eth1 and also check if RX and TX counters are increasing when pings fail.
  • While pinging eth1 from a PC, take pcap on the problematic PSN on eth1.

This should give some idea.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎05-25-2023 08:16 AM - edited ‎05-25-2023 08:23 AM

@pontusd from ISE CLI create default route via the gateway the eth1 interface is connected to using the ip route command, Guest portal traffic will be routed via this next hop. RADIUS/Mgmt traffic will be routed via the eth0 default gateway IP address.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_basic_setup.html?bookSearch=true

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/cli_guide/b_ise_CLI_Reference_Guide_33/b_ise_CLIReferenceGuide_33_chapter_011.html#wp3952387991

 

 

0 Helpful

Go to solution
pontusd
Level 1
Level 1
In response to Rob Ingram

‎05-25-2023 08:27 AM

As I wrote in my text. I have already configured an ip route for the guest subnet with the gateway of eth1.
Still not working

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to pontusd

‎05-25-2023 08:57 AM

Sorry, quite right I misread that. Last time I setup guest on a different interface, there were no settings on ISE restricting this communication. What ISE version and patch are you running?

0 Helpful

Go to solution
pontusd
Level 1
Level 1
In response to Rob Ingram

‎05-25-2023 09:18 AM

ISE 2.7 Patch 9

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to pontusd

‎05-25-2023 09:27 AM

A bug search reveals this - CSCvz93230  Guest portal does not load if hosted on a different interface from Gig0 but it's apparently resolved in 2.7 p7 and related to accessing the portal, nothing mentioned about no ping response.

Perhaps log a call with TAC.

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎05-25-2023 10:24 AM

Please check below pointer on ISE:

  • Are you able to reach the default gateway of eth1 from ISE?
  • "show interface" output from ISE. Check the status of eth1 and also check if RX and TX counters are increasing when pings fail.
  • While pinging eth1 from a PC, take pcap on the problematic PSN on eth1.

This should give some idea.

Customers Also Viewed These Support Documents