Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
0
Helpful
8
Replies

Should I point NADs to use IP address of profiler interface or normal interface for RADIUS requests?

Go to solution
Terence Lockette
Level 1
Level 1

‎11-12-2018 05:30 AM

Hello,

 

I was wondering if I should point my Network Access Device's to our ISE PSNs profiler IP address or the IP address used during the initial ISE setup?  The way I'm building out our ISE deployment is that I have 2 IP addresses assigned to our PSNs.  One address is used for Web management as well as TACACS+ and the other is used for the profilers (HTTP, DHCP, etc.).  When I configure RADIUS on the network devices, should I use the address TACACS+ is using, the address I'm using for profiling, or does it even matter?

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions
8 Replies 8

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-12-2018 06:12 AM

On the PSNS, no matter how many interfaces you configure, all of them will be listening for RADIUS/Portals and TACACS requests. If the question is about profiling data like DHCP etc, you can send to any interface as ISE matches the attributes with the endpoint mac address and since all interfaces listen for any traffic that has to do with policy services, the requests will be processed. It doesn’t really matter which interface you use.
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Surendra

‎11-12-2018 06:21 AM

Hello Surendra,

 

Got it.  So this brings up another question...since it doesn't matter which address I use for RADIUS requests, I can then use both addresses on my NADs for each PSN as a form of redundancy to that specific node, right?  In other words, if Gi0 on PSN1 goes down, it can still serve RADIUS requests because my NADs also have the address of Gi1 for that same PSN.  Would I be somewhat correct?

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎11-12-2018 06:29 AM

That is right, but it is very rare that only one interface of ISE goes down.
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Surendra

‎11-12-2018 06:31 AM

Yeah but when you got other admins changing things around in a virtual environment or cabling new devices, things tend to happen and not in a good way.  But it's good to know I can use ISE in this manner.  Thanks so much for your feedback!

 

Terence

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎11-12-2018 06:49 AM

You should be using interface bonding or more than 1 PSN for redundancy and not disparate NICs
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_0101.html
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-12-2018 06:49 AM

Yes RADIUS and the probes should go to the same interface.

Please check out scaling and design information at Cisco Live
https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944

There is a profile guide as well
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

other guides
https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Deploy

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Jason Kunst

‎11-12-2018 06:55 AM

Thanks Jason,

 

My deployment will consist of two PAN/MnT nodes and two PSNs in which the PSNs are doing the profiling.  I am specifying both PSNs for redundancy for our NADs and endpoint devices but also like the idea of using both IP addresses for redundancy to the same PSN.  I'm still in the early stages of the deployment and ISE isn't fully into production; just using it for TACACS & VPN access but no wired or wireless dot1x as of yet.

 

Thanks for the reference links as well.  I'll check them out.

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎11-12-2018 09:14 AM

Adding to what Jason said, the probes are recommended to be limited to 1 specific interface to avoid duplicate probes being received but it may or may not be same interface. As far as I know, there is hard and fast rule that the same interface used for authentication should be used for profiling if there are multiple interfaces configured. @jason, please feel free to correct me if I’m wrong.

Regarding NIC bonding, there are two fundamental differences in using NIC bonding and two separate interfaces for RADIUS.


1. In NIC bonding, you will have only 1 IP address configured and both the NICs will use a single virtual MAC address (Bond MAC address) of the active NIC. If you use separate interfaces, you should have different IP addresses and they will have separate mac addresses.
2. Only one NIC will be active all the time and serving RADIUS requests. If you use separate interfaces, you can have both of them serving RADIUS requests at the same time.

Depending on your requirements and your network design, you can choose which one you would like to implement.

0 Helpful
Customers Also Viewed These Support Documents