topic Re: ISE 2.4 CWA Guest portal redirection on distributed deployment in Network Access Control

ISE 2.4 CWA Guest portal redirection on distributed deployment

walwar — Mon, 11 Mar 2019 08:51:44 GMT

Hi guys,

We're using two ISE Prim/Seco and I am trying to configure wired guest portal on eth1 (I know if I use port eth0 ISE will choose its hostname i.e ise1.example.com/ise2.example.com) the redirection works as long as it's not using any fqdn. I tried to configure to use static ip/fqdn in authorization profile but that didn't work. so I tried the ip host as following and this didn't work either. In both cases the client doesn't redirect but when I change the fqdn to ip in the browser it works just fine.

ip host 10.1.1.190 guests guests.exammple.com
ip host 10.1.1.191 guests guests.exammple.com

In my previous setup (2.3) with one ISE it worked fine to use a static fqdn in the authorization profile and client were redirected correctly.

Any help or hint would be very much appreciated!

Re: ISE 2.4 CWA Guest portal redirection on distributed deployment

Jason Kunst — Mon, 12 Nov 2018 12:28:57 GMT

If this is something working in a previous release then should be working through tac

Did you use this?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

why can’t you use dynamic redirection

Re: ISE 2.4 CWA Guest portal redirection on distributed deployment

walwar — Mon, 12 Nov 2018 12:27:18 GMT

In previous version I used only ONE ise and this setup that I am trying to configure CWA is a distributed deployment so there is difference.

Re: ISE 2.4 CWA Guest portal redirection on distributed deployment

Arne Bier — Tue, 13 Nov 2018 10:24:34 GMT

Did you mean the IP address in URL of Gig1 or Gig0 works? In your portal config did you put a tick against Gig1 interface? Stupid question - just checking ..

Could it be that the client is somehow not resolving the DNS entry for that FQDN? e.g. I had cases where I was testing something specific and I had to hard code my etc\hosts file for a while.

Other than that I can't think why this wouldn't work. Does adding an IP host command require application restart (or reboot)?

Re: ISE 2.4 CWA Guest portal redirection on distributed deployment

walwar — Wed, 14 Nov 2018 09:18:07 GMT

Jason, the link you provided worked like a dream, and happy it solved my problem, though when those authorizations rules are active all clients are hitting the guest rule and all are redirected to guest portal even the domain pc which they shouldn't but that is another problem and nothing have to do with this thread, therefore I'll mark it as solved.

@Arne Bier, yes, the gig 1 interface is ticked otherwise the traffic will go through gig 0 which we do not want to. Unfortunately the ip host restarts the application. It feels like I am doing something wrong but not sure what... I guess that is a learning curve as well. 🙂

Re: ISE 2.4 CWA Guest portal redirection on distributed deployment

Jason Kunst — Wed, 14 Nov 2018 15:07:53 GMT

Glad to here perhaps you can match your GUEST SSID or WLAN ID as well in those authorization rules. Like in this article https://www.network-node.com/blog/2017/10/7/ise-23-new-policy-sets

Re: ISE 2.4 CWA Guest portal redirection on distributed deployment

walwar — Thu, 15 Nov 2018 08:13:29 GMT

It's for my wired guests not wireless.

Well my VLAN ID was already in the authorization rules I created for both of my ISE and honestly I think that was what made all users, PC, etc to be redirected to the urls. And now I can't test as those are in production now. I will definitely test it the next maintenance window and update here.

Thanks though for taking the time and helping out, much appreciated!