Hello Cisco community,
We are conducting ISE pilot (some 300 endpoints with combination of dot1x and profiling authd and authz policies) and currently wrapping it up and ready for distributed deployment to support 60k endpoints (approx. half of them will be profiled).
Our deployment planning will involve 2xPAN (primary/secondary), 2 MnT (act/standby) and 4xPSNs (will be utilizing F5 load-balancer); all will be virtual appliances (VM sizing based on SNS-3495).
PAN and MnT will be deployed in management network (firewalled) and will have single interface.
For PSNs, we are thinking of having dedicated interface in order to achieve the following:
1. For management traffic (HTTPS, Syslog, secure syslog) with PAN and MnT (e.g. on Gig0 interface)
2. For production traffic (RADIUS, LDAP, NTP, profiling traffic towards endpoints, NADs and ADs); e.g. Gig1 interface
I have been trying to look for information in Cisco partner community for ISE but haven't been able to find these type of details. The only information I could find is on some deployment to have dedicated PSN interface (different segment than the rest of RADIUS, profiling and management traffic) for user/endpoints web authentication traffic.
But what we'd like to achieve here is to separate RADIUS/profiling traffic towards endpoints, NADs and ADs with those towards PAN and MnT.
I'd like to hear some field deployment experience and Cisco expert views on this subject.
... View more
Ken, thanks for your feedback. Indeed it would've been easier at country domain level but due to some compliance it has to be between @tls.customer.com and @tls.partner.com and restricted to certain pre-defined users. But the customer doesn't want to create specific user environment for this since this will require them to create new AD user, new email domain tls.customer.com, etc. And they're trying to make this simpler by allowing selected country user to send email "on-behalf" this tls.customer.com domain. And I think this is where it goes wrong.
... View more
We are activating TLS enforcement (STARTTLS) between our customer domain (@tls.customer.com) and their business partner (@tls.partner.com) on internet MTA (Cisco ESA C370 running AsyncOS 8.0.1-023) Customer is managing their internal mail infrastructure and have user mail domains based on country. So for example user X in Switzerland will have sender address: X@ch.customer.com My understanding is that their are using IQ Suite software to re-write sender address into X@tls.customer.com to be able to enforce TLS based on this domain. So far so good until the business partner at receiving end mentioned that they receive reply-to: X@tls.customer.com but from: X@ch.customer.com And this will interfere with the policy at their end that require both sender header fields to be the same. My customer mentioned that they have modified both "From" and "Sender" fields using IQ Suite but somehow on our IronPort we are seeing both appears on "From": From: <X@ch.customer.com>, <X@tls.customer.com> And on message tracking I can see DKIM matching on X@ch.customer.com rather than on X@tls.customer.com Message 218480027 (51299 bytes) from X@tls.customer.com ready. 10 Feb 2015 09:13:27 (GMT +01:00) Message 218480027 matched per-recipient policy DEFAULT for outbound mail policies. 10 Feb 2015 09:13:27 (GMT +01:00) Message 218480027 is not signed. No domain key profile matches X@ch.customer.com. 10 Feb 2015 09:13:27 (GMT +01:00) Message 218480027 successfully signed. DKIM ch.customer.com-DKIM matched ch.customer.com. 10 Feb 2015 09:13:27 (GMT +01:00) Message 218480027 queued for delivery. So I suspect that customer internal mail still has X@ch.customer.com on "From" header and X@tls.customer.com on "Return-path" header. The question is how can I modify "From" header to match that on "Return-path" before sending it to partner. Appreciate the feeback.
... View more