Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
3
Replies

ISE Server - multiple networks query

Go to solution
kuzminsk1
Level 1
Level 1

‎04-27-2016 01:57 AM - edited ‎03-10-2019 11:42 PM

Hi guys

We are planning to deploy a Cisco ISE server to manage NAC for 300 users (Windows, WYSE, Avaya phones and HP printers). DHCP is running on the DC and the ISE interface has Layer 2 visibility of the whole network segment its managing.

We have just received an additional requirement for a dedicated/completely segregated switch VLAN which provides unrestricted Internet access. It would be connected to a third party Internet-facing router allowing connections directly on to the internet. Effectively, its a completely segregated network of a single VLAN and Internet access.

 

Would it be possible to manage port-security for this VLAN from the ISE server? If so, would the ISE server need an additional NIC configured in the subnet of the Internet VLAN?

Basically, i'm wondering if a single ISE server can be used to manage 2 completely independent networks. The internet network would not use AD authentication and access would have to be granted manually on a case by case basis.

Many thanks

M

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to kuzminsk1

‎04-27-2016 01:23 PM

Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.

As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.

View solution in original post

0 Helpful

Go to solution
jwmolenaar
Level 1
Level 1
In response to jan.nielsen

‎04-27-2016 01:43 PM

Indeed, just want to add two remarks:

The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement

Second: if you want to use a ISE guest portal to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kuzminsk1
Level 1
Level 1

‎04-27-2016 02:09 AM

Just to clarify - the Internet VLAN will be defined on teh same switches as the main network.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to kuzminsk1

‎04-27-2016 01:23 PM

Just to clarify, ISE does NOT need to be Layer2 adjacent to the clients to work. Only when using specific profiling probes is this ever usefull. Has no use when doing mac address validation or 802.1x.

As for your question, yes ISE can manage validating say ex. mac addresses that need access to your "Internet" VLAN, and your internal VLAN at the same time. However it's not done with the switch "port-security" feature, but rather by entering the mac addresses that need access in your ISE server and then using the "group" you put them in ISE in, ads a condition when authorizing access in ISE.

0 Helpful

Go to solution
jwmolenaar
Level 1
Level 1
In response to jan.nielsen

‎04-27-2016 01:43 PM

Indeed, just want to add two remarks:

The switch communicate to ISE using RADIUS via its management?? interface, that is the only hard requirement to fulfill this requirement

Second: if you want to use a ISE guest portal to facilitate this requirement you have to make up your mind again because both the management interface of the switch and cisco ISE might need connectivity to the guest vlan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents