Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
5
Helpful
3
Replies

PSN's in the DMZ deployment guide

Go to solution
Madura Malwatte
Level 4
Level 4

‎12-12-2018 11:55 PM

If there any deployment or how-to guides for configuring PSN's in the dmz. In particular the set up where psn's are located both in the internal and dmz domain, syncing back to a PAN and MnT in the internal domain.

 

If im only using the dmz psn's for guest wifi then really I would only require the guest anchor WLC's to have its radius configured to point to the dmz psn's right?

 

What about AD? There should be no reason either to have the dmz psn's join the AD domain like the internal psn's?

 

What about cert wise? Would i need to import the internal CA cert into the dmz psn's as well as the internal psn's?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-13-2018 12:02 AM

For guest, this won’t fly as PSN needs to inform PAN of the new guest registration and send logs of the authentication to the MnT node.
For AD, you can have PSN and DC in the DMZ and have them connected.
For certificates, If you have the same PAN node, you do no need to import any additional internal CA certs.

At the end of the day, it all boils down to the communication at the port level between the PSN, the PAN/MnT and other nodes. You can have them anywhere you want but make sure they can talk to each other by hook or crook.

For more details refer https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-13-2018 12:02 AM

For guest, this won’t fly as PSN needs to inform PAN of the new guest registration and send logs of the authentication to the MnT node.
For AD, you can have PSN and DC in the DMZ and have them connected.
For certificates, If you have the same PAN node, you do no need to import any additional internal CA certs.

At the end of the day, it all boils down to the communication at the port level between the PSN, the PAN/MnT and other nodes. You can have them anywhere you want but make sure they can talk to each other by hook or crook.

For more details refer https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Surendra

‎12-13-2018 07:53 AM

Hi Surendra,

 

This part is not clear to me "For AD, you can have PSN and DC in the DMZ and have them connected.
For certificates, If you have the same PAN node, you do no need to import any additional internal CA certs.", can you please explain? At the moment my dmz psn's have not joined the AD domain. Is it normal to have the dmz psn's join AD just as the internal psn's would?

0 Helpful
Customers Also Viewed These Support Documents