topic configuring CWA in distributed environment in Network Access Control

configuring CWA in distributed environment

mojuneja — Mon, 11 Mar 2019 03:04:19 GMT

Could you please elaborate the process how CWA works in distributed environment?

Re:configuring CWA in distributed environment

Tarik Admani — Sun, 10 Feb 2013 02:03:23 GMT

Cwa is configured at the administration nodes. The policy nodes send the url string to their hostname and perform the authentication and provides services such as guest authentication and my device portal.

Thanks

Sent from Cisco Technical Support Android App

configuring CWA in distributed environment

nspasov — Sun, 10 Feb 2013 02:07:19 GMT

Hello Mohit-

Can you please elaborate a little more on your question? What exactly are you trying to accomplish? The CWA process is handled by the Policy Services (PDP) node. If you have more than one (distributed) then you can place them behind a load balancer (if L2 adjacent). If the nodes are spread geographically then you specify which which PDP nodes would each NAD client use.

Thank you for rating!

configuring CWA in distributed environment

mojuneja — Sun, 10 Feb 2013 07:51:56 GMT

Thanks Tarik and Neno for your response........

My question is if One PSN goes down and my NAD is configured with 2 PSN IPs, so in that situation client request will go to 2nd PSN, and 2nd PSN will provide url-redirect link. So in that condition on client browser which PSN host name would be shown?

In my scenario, consider PSN A is primar and PSN B is secondary.

And one more thing I want to ask, can we customize the Guest Portal URL, as we have the option for Sponsor and My Device Portal under Guest/Sponsor SSL settings?

configuring CWA in distributed environment

nspasov — Mon, 11 Feb 2013 03:28:34 GMT

Yes, if one of the PSN goes down the NAD will flag as down. As a result, future AAA messages/functions will be forwarded to the secondary PSN node.

I don't think you can customize the URL for the guest portal. I am not 100% sure though so perhaps Tarik can confirm this. I am not going to be back in my lab for a while now otherwise I was going to test it.

Thank you for rating!

configuring CWA in distributed environment

mojuneja — Mon, 11 Feb 2013 05:17:11 GMT

Thanks Neno for your response....

To implement CWA in distributed environment, we need to add Subject Alternative Names in the Certificate.

I have already gone through the steps given in BYOD design guide, but my concern is if I would by Third party CA certificate for ISE, in that case how would I able to achieve the same.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

Would I need to ask Certificate vendor to add Subject Alternative Names? Will they do that?

configuring CWA in distributed environment

nspasov — Wed, 20 Feb 2013 17:15:57 GMT

Sorry for the delayed reply Mohit!

Yes, I am sure public CAs will be willing to sell you a SAN certificate, however, my guess is that it will be expensive. If you are only dealing with a couple of PDP nodes, then I would recommend that the you get two separate public certificates instead of the SAN type. The ony time I would bother with SAN certificates is if I am dealing with a lot of nodes and/or when I put the PDPs behind a load balancer.

Hope this helps!

Thank you for rating!

configuring CWA in distributed environment

mojuneja — Thu, 21 Feb 2013 01:48:44 GMT

Thank you so much Nano for your answer..

configuring CWA in distributed environment

JHILL2 — Fri, 01 Mar 2013 18:51:29 GMT

Is there a way to get the Authorization profile to send one of the different SAN names within the certificate instead of the actual hostname? Maybe with Cisco AV Pair?