Great Session ! quick question can I deploy ISE facing the internet ? Like attach an Elastic IP to its intenal interface and add the Natted IP of the Network Access Devices on ISE ? ISE extracts the NAS-IP attribute from the radius header in the auth request which I believe won't be natted. I was just thinking to use Global accelerator with ISE hence this question.
You can for basic authentication however there are two issues. The most important is that RADIUS and TACACS traffic is not encrypted so anywhere in the path between the network device and ISE the RADIUS attributes with your usernames and network device IPs and other details could be captured. This is why a VPN or DTLS is required to secure the traffic. NATed IPs cause a problem because you lose device-specific control/details by IP address (you may not care but most people do) and if you want or need to do RADIUS Change of Authorization (CoA) back to the network device, the NAT device will not know which network device to send it. Best to use a VPN from on prem to cloud. See - Automated ISE Setup with Infrastructure as Code Tools @ ua-cam.com/video/tN_nTEE48Ys/v-deo.html - Cisco ISE with Meraki @ ua-cam.com/video/snc0HIK0My4/v-deo.html - ISE in AWS Webinar @ ua-cam.com/video/JOvQYSa6eFk/v-deo.html
Thank you for doing this video in great details. I'm planning for a 3 node small deployment. If I get it right, I'd need to put 2 nodes as PAN+MnT+PSN and 1 node as PSN, this will work fine??
Great presentation, 1 question though. Does it mean ISE is not a suitable solution for offshore environments with latency being more than 300 milisec as you mentioned?
By "offshore", I assume you mean boats. Yes, naval and cruise ships have isolated ISE deployments because their satellite links are not fast enough. This is explicitly covered @ 55:55 Multiple ISE Deployments
@@CiscoISE Thanks for your reply. A follow up question, lets say you have 50+ ships each with their own ISE deployments, how do you maintain all that from shore?
Nice job. Invaluable session.
Invaluable vids for anyone new to ISE or inheriting administration of it.
Great session and very helpful for beginners 🙏🙏
Great Session !
quick question can I deploy ISE facing the internet ? Like attach an Elastic IP to its intenal interface and add the Natted IP of the Network Access Devices on ISE ?
ISE extracts the NAS-IP attribute from the radius header in the auth request which I believe won't be natted. I was just thinking to use Global accelerator with ISE hence this question.
You can for basic authentication however there are two issues. The most important is that RADIUS and TACACS traffic is not encrypted so anywhere in the path between the network device and ISE the RADIUS attributes with your usernames and network device IPs and other details could be captured. This is why a VPN or DTLS is required to secure the traffic.
NATed IPs cause a problem because you lose device-specific control/details by IP address (you may not care but most people do) and if you want or need to do RADIUS Change of Authorization (CoA) back to the network device, the NAT device will not know which network device to send it.
Best to use a VPN from on prem to cloud.
See
- Automated ISE Setup with Infrastructure as Code Tools @ ua-cam.com/video/tN_nTEE48Ys/v-deo.html
- Cisco ISE with Meraki @ ua-cam.com/video/snc0HIK0My4/v-deo.html
- ISE in AWS Webinar @ ua-cam.com/video/JOvQYSa6eFk/v-deo.html
what about the health check tab on the interface ? where can I find test outputs ?
it is a useful video tq.. .. if possible can you make a video for how to add the network devices, wireless how to monitor the endpoint devices
Managing Network Devices in ISE is coming up next month (April 2022)! Register @ cs.co/ise-webinar or you may always watch the recording here
Thank you for doing this video in great details.
I'm planning for a 3 node small deployment. If I get it right, I'd need to put 2 nodes as PAN+MnT+PSN and 1 node as PSN, this will work fine??
Great presentation, 1 question though. Does it mean ISE is not a suitable solution for offshore environments with latency being more than 300 milisec as you mentioned?
By "offshore", I assume you mean boats. Yes, naval and cruise ships have isolated ISE deployments because their satellite links are not fast enough. This is explicitly covered @ 55:55 Multiple ISE Deployments
@@CiscoISE Thanks for your reply. A follow up question, lets say you have 50+ ships each with their own ISE deployments, how do you maintain all that from shore?
PAN server related for making policy
9:12
PSN server, making the ise enforcement
10:44
Great session, can I get the presentation slides?