Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

Cisco ISE with multiple Network interface

Hello,

I am deploying Cisco ISE 1.2 in a distributed deployment and the requirement is to use external Radius proxy feature. ISE PSNs are designed to have 2 L3 NIC's, Eth0 for administration and Eth1 as client side facing NIC for Radius requests. I am interested to know would Cisco ISE in version 1.2 use Eth1 interface to send RADIUS  authentication request to external RADIUS Proxy server.

Could not find above information in Cisco SNS-3400 Series Appliance Ports Reference.

http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html

Thanks

Kumar

5 REPLIES
New Member

Cisco ISE with multiple Network interface

Hi Kumar,

I believe you need to move the question to ACS/Identity and NAC section, it will be more accessible by the ISE experts.

Anyway, ISE can support External RADIUS server as External Identity source, and this can be done though any interface like the Gig0 which is MGMT one.

You can consider your server like the AD as example, and the ISE will use Gig0 for traffic forwarding to any other parties used on the configuration.

Please check this:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1098609

Thanks.

Ahmad.

Cisco Employee

Re: Cisco ISE with multiple Network interface

Thanks Ahmad for the reply.

Cisco ISE uses standard RADIUS authentication and authorization port to send request to Exteranl RADIUS proxy. As per the interface/port refrence guide of version 1.2 this is listed that is causing a confusion :-



Eth0Eth1Eth2Eth3
Policy   Service nodeSession

•UDP:1645, 1812 (RADIUS Authentication)

•UDP:1646, 1813 (RADIUS Accounting)

•UDP: 1700 (RADIUS change of authorization Send)

•UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
External   Identity Stores
and Resources

•TCP: 389, 3268, UDP: 389 (LDAP)

•TCP: 445 (SMB)

•TCP: 88, UDP: 88 (KDC)

•TCP: 464 (KPASS)

•UDP: 123 (NTP)

•TCP: 53, UDP: 53 (DNS)

(Admin user interface authentication and endpoint authentication)



In external Identity Stores and Resources it says Eth0 is used for (Admin user interface authentication and endpoint authentication), where under sessions it lists that all ports can be used for RADIUS Authentication and Authorization.

I am not sure what I am missing to understand between the two if you can highlight that.

Thanks

Kumar

Cisco Employee

Re: Cisco ISE with multiple Network interface

Hi Ahmed,

Did a TCP dump on eth1 interface and I could c the external radius proxy traffic being sent through Eth1 interface of ISE. It will put the complete setup and let you know the final results.

Thanks

Kumar

New Member

Re: Cisco ISE with multiple Network interface

Hi Kumar,

Any update about your setup?

I'm asking because I need similar thing with different identity source and need to check if it is applicable or not.

Thanks.

Ahmad.

Cisco Employee

Re: Cisco ISE with multiple Network interface

Hello Amjad,

For External Idenity sources Cisco ISE would use Eth0 as the default and only interface to communicate with them. But in case of exteranl RADIUS proxy request its not bounded to Eth0 interface and rather depends on the route on Cisco ISe.

Hope this answers the query

Thanks

Kumar

2547
Views
0
Helpful
5
Replies
CreatePlease login to create content