topic Re: ISE Sponsor portal with load-balancer URL in Network Access Control

ISE Sponsor portal with load-balancer URL

MP_Linc — Tue, 15 Jan 2019 14:44:45 GMT

I have two ISE nodes running in Primary and Secondary mode, I have a sponsor portal established with a defined dns string internally for employees to reach, however we have a load-balancer(LB) managing the sponsor portals respectively. When clients attempt to reach our sponsor portal they get caught by the LB which then presents a certificate error and won't redirect the client to the ISE nodes seamlessly. On the ISE servers for the same portal we have valid external certs to prevent a cert error page from appearing. Has anyone run a setup like this before? I'll condense all the information I have below for ease of reading. Also does the secondary even take any requests for sponsor logins? Or is the primary the work horse? I don't expect the portal to be heavily used but I could be wrong.

I have the FQDN field filled out with my dns entry in ISE for the sponsor portal URL.

The LB has the same FQDN defined for where to redirect.

Our internal DNS is pointing to our internal IP with the correct DNS entry. Known because this works without the LB being active.

The actual URL for ISE has a long string after the DNS name .com:8888/sponsorportal/...

Should the full ISE URL be used on the LB or just the shortened FQDN?

Re: ISE Sponsor portal with load-balancer URL

Timothy Abbott — Tue, 15 Jan 2019 15:22:46 GMT

Hi,

If you haven't already done so, please take a look at BRKSEC-3699 which has a large section on PSN load balancing that also covers load balancing web services.

Regards,

-Tim

Re: ISE Sponsor portal with load-balancer URL

paul — Tue, 15 Jan 2019 16:42:46 GMT

For two nodes I wouldn't even bother load balancing the sponsor portal. Create two A records in your DNS for the sponsor portal FQDN and put in the IPs of each of your ISE nodes. Both ISE nodes can serve up the sponsor portal. There is no concept of primary/secondary.

Re: ISE Sponsor portal with load-balancer URL

MP_Linc — Tue, 15 Jan 2019 19:03:48 GMT

I wish I could have done it that way but the powers above me wanted it behind the LB adding the cert to the LB alleviated my original issue. I do appreciate you answering the question about how the ISE nodes respond to requests for the portal.

Re: ISE Sponsor portal with load-balancer URL

Damien Miller — Tue, 15 Jan 2019 21:34:50 GMT

What brand load balancer are you using? It sounds like you're doing ssl decryption when you should be able to just sticky/persist the session traffic and let ise handle it.

Re: ISE Sponsor portal with load-balancer URL

MP_Linc — Wed, 16 Jan 2019 12:06:42 GMT

Its a Citrix Netscaler, but the issue for the page not appearing appropriately was resolved by placing the cert on the LB. I sadly only manage ISE and the network equipment so I usually work with another team for server related tasks.