we have placed the ISE in a DMZ. The NIC 0 is used for Administration of the ISE.
The Switches send their RADIUS requests to the ISE via an out-of-band-management network which is connected to the DMZ though a Firewall.
What if I want to use CWA. I understand that the Guest/Sponsor Portal needs to be reachable via the Clients Network. I can use a dedicated NIC on the ISE for this connection. So GIG0 is mgmt (in DMZ) and GIG1 is Guest/Sponsor-Portal (not in DMZ).
What about security? Does the ISE route between the connected NICs? If it does, can I put a Firewall between the Client Network and the Guest-Portal NIC?
The ISE interfaces do not and should not route between it's interfaces. They have to exist on separate layer 3 networks and you can add routes on the cli if the clients exist multiple hops away from the interface itself.
My situation is similar however the opposite. We have ISE in our Enterprise MNGT zone (not in DMZ). NIC0 for mngt and accessible for us to manage from inside our network. For the guests using CWA we've created a VRF for Guest-Users to route to ISE but using NIC3 only which resides in our DMZ and blocks access to our regulatory network. This is required because the client needs to reach ISE on "nic3" for it to present the Guest Portal (Layer3). Also the client will need to receive a DHCP address beforehand to speak with ISE on its nic3, so we also have a DHCP server hanging off the guest VRF along with a interface on our WLC. The WLC on the DMZ is configured as an anchor controller and there is no need to poke any holes in our firewall. To sum it up, we use NIC0 for mngt & radius requests but after the client connects to our WLC (Guest-WiFi) the controller talks to ISE layer2 via NIC0, after MAB is performed (mac filtering on the WLC) its get a permit back allowing the client to recieve DHCP and DNS, then after a web page is attempted our redirect ACL on the WLC sends the client to ISE NIC3 which hosts our Guest Portal. So at no time do they touch our inside network.
We are running ISE 1.2 patch 8 for your reference. Hopefully that helps some. I'm still learning one phase at a time.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :