Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2111
Views
0
Helpful
1
Replies

ISE multitenancy readiness: overlapping IP for NADs

Michal Garcarz
Cisco Employee
Cisco Employee

‎02-27-2019 08:16 AM - edited ‎02-21-2020 11:03 AM

Hello Team,

 

Do we have any plans to have ISE being ready for multi-tenancy (supporting many separate orgs / customers) ?

It looks like we have already most components ready for this (including AD, IP-SGT mapping per VRF), but one very important is still missing:

- we can not create NADs with the same IPs

Any plan to have it fixed ?

(NAT is not acceptable solution because of CoA and other issues)

 

My plan for the design is the following:

- 2xPAN+2xMNT in central locaction

- PSN per customer (or two PSNs)

Policy Sets with rules like: if radius/tacacs traffic from PSN1 then policy Customer1, from PSN2 then policy Customer2....

Each customer would group their NADs based on Location (eg. Location/Customer1/US). Then every incoming radius or tacacs packet will be evaluated by policy-set (with PSN name condition) and that will narrow down the search for NAD to a specific Location (Customer1).

Possible ?

Are we evaluating similar functionality to have in ISE ?

Any other works to make it fully multi-tenant with NADs belonging to multiple customers with overlapping IPs ?

 

Thanks,

Michal

1 person had this problem
Labels:
0 Helpful
1 Reply 1

howon
Cisco Employee
Cisco Employee

‎03-05-2019 10:30 AM

No, overlaps allowed currently. Please reach out to the PM team for roadmap.

0 Helpful
Customers Also Viewed These Support Documents