This document describes the multiple ISE installation scenarios.
Scenario 1:Cisco ISE and WLC Access-List Design/Scalability
User have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. User is observing the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; He was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? He have illustrated the setup below for reference:
User group 1 -- Apply ACL 1 --On Vlan 1 User group 2 -- Apply ACL 2 -- On Vlan 1 User group 3 -- Apply ACL 3 -- On Vlan 1
The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at the link mentioned below: Cisco Doc
The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. Overall, there are three ways to overcome current issue:
Shrink the ACLs by making them less specific
Utilize the L3 interfaces on a L3 switch or Firewall and apply ACLs there
Scenario 2: ISE 1.2 Time Zone
User have a ISE 1.2 pair, v9 patch installed and sychronized. Recently time zone changed to summer time which is one hour later. In the CLI user can see that the reference is sent by NTP and the clock has changed but while monitoring he can still see that there is an hour difference from real time. He read in Cisco official documentation that time cannot be changed on ISE or else it will become unusable but the logs are not being timestamped correctly and also the time the RADIUS request are made by NAD vs the time they are recieved by ISE have one hour difference. Is there a way to solve this? it seems to be prone to any kind of unexpected behaviour when we are least expecting it.
It seems that it is a bug (Related to the timezone). The base OS (Cent/ADE OS) appears to be running fine and keeping track of DST (Day light savings) but the actual application (ISE) installed on Cent is not. I don't believe that NTP pushes/honors timezones. I think NTP just synchronizes the clock while timezones/DST is controlled locally.
However, if we take Eastern Time Zone for example. I had to make sure that I select "EST5EDT" in ISE and not just EST. If I simply selected EST then DST was not observed and made things ugly. The same applied for Pacific timezone where I had to make sure that I select "PST8PDT" With all of that being said, I checked the CLI in ISE and I don't see any Chile related time zones that would indicate DST observations. You can check for those yourself by using the following command "show timezones"
I was able to find these but perhaps there are more and a specific one to CST/CLST. I tried searching for those but could not find anything:
You are correct about being able to change the timezone in CLI. If you do that TAC will not support the product anymore if any odd issues are to arise. With that being said, I have changed the timezone before and the system continued to work as expected without any issues. So I will leave it up to you on how you would proceed. The only other option is to re-image the nodes.
Scenario 3: ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe
Just prepping an ISE 1.2 patch 8 setup in our organization. User is going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. User have got 2 points he will like to get some guidance on:
DC has a dedicated mgmt network and he plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE? I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
–Option 12—HostName of the client –Option 60—The Vendor Class Identifier
After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message. Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
HIWe have a Site to Site VPN configured between our FTD and a 3rd Party.1. I have a rule allowing inbound from Outside from 3rd party peer to internal servers whcih should bring up the VPN between the peer addresses,2. Do I need a rule from inside to outs...
Hello.My web session keeps expiring in one firepower I manage.When I connect to the firepower web, the session expires in 1~3 minutes irregularly.In some cases, you cannot log in because your session has expired.The browser session timeout is set to 60 mi...
Hi all, I have a cluster of 2x FTDs running on 2130 with version 184.108.40.206 which is managed by my FMC. In the threat defense policy which is applied to my FTD cluster, the Secure shell settings in my platform settings is blank but i am able to ssh...
Hi,I'm having a problem routing LAN traffic out through the firewall. I've read the multiple posts with the same problem but their solutions have not worked for me. Traffic flow isInternet - Cisco ME3400 - Firepower2110 (ASA) - Switch - PC Netwo...
We are on ISE 2.4 and have configured AD <> ISE integration using WMI (to get information of AD users) Some providers suddenly went offline for no reason, we had to manually add back integration Is there a way to set an email alertin...