topic Re: my devices portal FQDN DNS resolution in Network Access Control

my devices portal FQDN DNS resolution

firestartest — Mon, 01 Oct 2018 22:06:34 GMT

I have two ISEs. Primary PAN, Secondary Mnt, Active PSN on ISE01 (192.168.1.10). Secondary PAN, Primary Mnt, Active PSN on ISE02 (192.168.1.20).

I have setup BYOD but for the my devices portal I can only set the FQDN under the Portal Settings. For this example its mydevices.test.com

All this works OK as I have DNS resolving mydevices.test.com to 192.168.1.10. But how do I make this work for the second ISE node? The FQDN has to be mydevices.test.com. I don't have any loadbalancers.

I can get the CWA for BYOD to work on both ISEs by using two seperate authz profiles and identifying the request based on the source ISE. The authz profile for BYOD redirect has the option to set static FQDN which can be used in a rule and modified to suit the ISE. So ISE1 has byod1,test.com and ISE2 has byod2.test.com. The authz rules match the source ISE and apply the corresponding BYOD CWA.

But I can't see how to do this for the mydevices portal. I thought of just using two DNS records pointing to the same FQDN but don't think that is the correct way to do it.

Any help on this one?

Re: my devices portal FQDN DNS resolution

Jason Kunst — Mon, 01 Oct 2018 22:30:00 GMT

My devices portal has nothing to do with the byod nsp redirect. Why are you statically assigning this? ISE takes care of that for you by resolving the psn your authenticated to automatically

For the my devices easy url FQDN yes you set a dns record with both IP addresses in it

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_webportals.html#pgfId-1000833

Re: my devices portal FQDN DNS resolution

firestartest — Tue, 02 Oct 2018 08:32:27 GMT

Hi, sorry but I don't understand part of your answer. You say:

"Why are you statically assigning this? ISE takes care of that for you by resolving the psn your authenticated to automatically"

I'm assuming you mean the URL that gets applied during the BYOD redirect? If I leave it default without specifying a manual FQDN then it will return the hostname of the authenticating ISE but I don't want that, I want byod1.test.com or byod2.test.com not the hostname, hence why I set the manual URL on the redirect authz profile. If I have this setup completely wrong then i'm open to suggestions.

As for mydevices portal if DNS round robin is the way then i'll give that a go but the link you posted is for ISE 1.2 and i'm using ISE 2.4. I don't see the same recommendations for mydevices portal in the 2.4 user guides. Is this still valid?

Re: my devices portal FQDN DNS resolution

Jason Kunst — Tue, 02 Oct 2018 10:26:51 GMT

For the byod flow it’s not necessary to do what you did. I don’t understand why you have a problem automatically returning the psn hostname of the server the device authenticated to? It should then redirect to same. What you’re doing is not necessary please read the byod guide

https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867

Also the dns recommendations are still the same

Re: my devices portal FQDN DNS resolution

firestartest — Tue, 02 Oct 2018 10:53:55 GMT

Yes I know the PSN hostname is the norm but it's a customer requirement that the hostname is not shown in the URL. That is why it has to be a unique BYOD FQDN.

Thanks for the help.

Re: my devices portal FQDN DNS resolution

Jason Kunst — Tue, 02 Oct 2018 11:42:51 GMT

Ok what’s their concern?

Re: my devices portal FQDN DNS resolution

firestartest — Tue, 02 Oct 2018 13:07:22 GMT

No concern. They have stipulated that the URL shouldn't show the hostname. I've suggested the standard way but they insist doing without the hostname.

Re: my devices portal FQDN DNS resolution

paul — Tue, 02 Oct 2018 17:37:16 GMT

Just do the URL override in the portal redirection. Setup two DNS names, byodportal1.mycompany.com and byodportal2.mycompany.com, and assign map them to each PSN. Then build two redirect authorization profiles, one that uses byodportal1 and one that uses byodportal2. Finally build your policy set rules:

if network access ISE hostname equals psn1 then use authorization profile byodportal1

if network access ISE hostname equals psn2 then use authorization profile byodportal2

If you are talking about the MyDevices portal outside of the BYOD flow then you can just map the FQDN to both PSN IPs and let DNS figure it out.