Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
0
Helpful
5
Replies

ISE separate interface for guest

de1denta
Level 3
Level 3

‎05-20-2018 02:22 AM - edited ‎02-21-2020 10:56 AM

Hi All,

 

I'm currently designing a ISE solution to provide gust access with web authentication and I want to assign separate interfaces on the ISE appliances so we dont need to punch holes through our main firewall. I have seen that this is possible in various support community conversations/design guides, however, I'm looking to place the ISE guest interfaces directly on the same VLAN that guest users will be placed on but I cant see if this is recommended or not.

 

The reason I want to do this is for simplicity so no need to even create a separate DMZ etc. Has anyone does this before? Does the ISE interface for guest listen on any other ports than what has been set for the CWA portal?

 

Many thanks

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎05-20-2018 09:00 PM

Hi

 

Yes sure this is something that’s often done.

 Your switch or WLC will talk to radius using the default interface (or radius specific interface if you have any). The radius will reply with guest interface as URL redirect if you configured so on the portal itself. This is where you define which interface listen for portal ports.

As soon as URL redirect is pushed, guest users will be pushed a guest vlan within dmz zone where they can reach  ISE 2nd interface and avoid opening ports on your FW.

 

You can extended your DMZ vlan to this 2nd ISE interface to make sure guests won’t sit in your lan.

 

Usually, what I do is keeping default interface for management, then add a dedicated interface for radius/tacacs and 3rd one for guests.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

de1denta
Level 3
Level 3
In response to Francesco Molino

‎05-21-2018 12:16 AM

Hi Francesco,

 

Thank you for the response. That make sense.

 

In this particular environment we are looking to included a wired guest network as well which will be in a separate VLAN. In this instance should we use 3 interfaces on ISE? Default interface for management/Radius etc, one interface for Wireless Guest and one interface for Wired Guest?

 

In your environments, would you normally have wireless and wired guest in the same VLAN or split them out? I'm just conscious that I'm making this more complex then it needs to be.

 

Thank you

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to de1denta

‎05-21-2018 05:06 PM

For my point of view wired guest and wireless guest should be in separated vlans but in the same zone. This means that only 1 interface on ISE can handle both.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

de1denta
Level 3
Level 3
In response to Francesco Molino

‎05-21-2018 11:53 PM

Thanks Francesco,

 

When you say 'Zone' do you mean a common DMZ interface that is accessible from both the Wired and Wireless guest networks?

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to de1denta

‎05-23-2018 05:22 PM

Yes I meant DMZ interface. When clients (either wifi and wired) are redirected to guest portal, they'll be pushed to a specific vlans that needs to be able to reach ISE guest/dmz interface.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents