topic Re: ISE Guest DNS in Network Access Control

ISE Guest DNS

dm2020 — Fri, 26 Oct 2018 23:00:42 GMT

Hi All,

I have a question regarding DNS for ISE portal redirect.

I am setting up a guest hot spot portal in ISE for a customer that will use an FQDN such as guest.domain.com. ISE has been configured with a dedicated interface that sits in the customer's DMZ with a private IP address. Guest users will receive an IP address by DHCP but with google DNS instead of the customers internal DNS.

What is the preferred method to ensure that guest.domain.com resolves to the ISE IP address?

One option that I have seen is to configure an A record in public DNS that resolves to the private IP address of the ISE DMZ interface, however, I have seen that some people dont like this due to security reasons. Is this a valid security concern? Are there any other better ways to achieve this?

Re: ISE Guest DNS

hslai — Sat, 27 Oct 2018 02:17:26 GMT

If domain.com is your domain and if you may add an address (A) record to the public DNS publishing domain.com to resolve it to the private IP address, I do not see any issue. The private IP address will not be routable outside your guest network so should be pretty safe. Besides, this way you may bind the portal to a system certificate signed by a well-known and trusted CA so that your guests would not be getting certificate errors due to hostname mismatch or untrusted otherwise.

Re: ISE Guest DNS

dm2020 — Sat, 27 Oct 2018 08:06:28 GMT

Ok that does make sense and seems to be the simplest way to achieve what I need. Thank you for the quick response

Re: ISE Guest DNS

packetplumber9 — Mon, 29 Oct 2018 15:36:42 GMT

Technically speaking, if you want to be a good netizen, it is against the IETF standards to put private IP space in publicly resolvable DNS.

Recommendations to do it another way are using split DNS architecture, or using a publicly routable IP in your DNS response and performing a NAT as it enters the DMZ.

Re: ISE Guest DNS

Arne Bier — Mon, 29 Oct 2018 22:21:47 GMT

As someone stated, putting private IP into a public DNS record is not good practice.

In a guest scenario where the clients perform DHCP and get a public IP, then the DNS resolution can be done as follows.

Offer the guests a DNS server (or servers) that performs conditional forwarding (all DNS servers can do this).

The logic is as follows

Requests for guest.mycompany.com resolves to your internal IP for PSN (static IP or VIP if load balancing)

All other requests get forwarded to the public DNS provider(s) (your ISP, or 8.8.8.8 etc.)

Simple and clean. Even Microsoft DNS can do this.

Re: ISE Guest DNS

mendiratta_vimal — Sat, 11 May 2019 03:54:36 GMT

Hi Arne,

I see your solution will work fine for one PSN/geographical location as ours is doing the same however;

We have 5 PSNs at different geographical locations. all locations have their own DHCP servers, however not sure how shall we achieve DNS. How can we make our 5 PSN resolve guest.mycompany.com

We are using Bond 0 for sponsor and Bond 1 for Guest.

We do not have Load balancer.

Please advise.

Thank you.

Regards,

Re: ISE Guest DNS

Arne Bier — Mon, 13 May 2019 02:13:31 GMT

Hi @mendiratta_vimal

if the PSN's are spread over different physical locations then it makes no sense to use as load balancer.

In that case each location would specify its own local PSN node as the Primary Radius server. This means that you can create Policy Set AuthZ rules to catch the sender of the MAB request and to return the correct PSN redirection URL. But that then brings us to the question of how to resolve the common FQDN ...

If each location has its own DHCP server, do you also have the facility to return a different IP address for guest.myportal.com at those locations? e.g. does each location have its own DNS server? if so then your local DNS server could serve up the relevant PSN IP.

Sorry I am not a DNS guru 😞 - someone smart enough might have an answer for you. Perhaps AnyCast is an option too but I might be wrong.

If you are happy to have each location present a different FQDN in the Guest portal then you could make a cert that contains all five ISE FQDNs in the cert's SAN (or use a wildcard cert). That would be another (simpler) workaround.

guest1.myportal.com -> PSN1

guest2.myportal.com -> PSN2

etc.

If the PSN nodes' hostnames are not created with those exact FQDNs, then you can use DNS again to override that. But in some cases customers use a public DNS domain for their ISE node hostnames - if you're one of those then you're in luck.

Re: ISE Guest DNS

benkelly`8 — Sun, 09 Aug 2020 14:27:23 GMT

Multiple PSN's in different my approach would be two use AWS Route 53 with a geo policy to return the closest one (if it is up), then if required use destination nat to translate the destination from a public IP to a private