topic Re: Radius proxy for guest in Network Access Control

Radius proxy for guest

jdal — Wed, 25 Jul 2018 17:16:20 GMT

Hi,

My customer has two ISE clusters. The first one is dedicated to wifi guest access while the second one is handling wired 802.1x for corporate users.

They would like to provide guest access to their wired users. They are thinking of using RADIUS proxy for that. The web portal would still be hosted on their "guest cluster" and "corporate wired users" would simply be redirected to that cluster.

I've done some research but I haven't seen any clear statement if that was supported or even supposed to work. Could someone confirm if this is supposed to work and provide some pointers?

An alternative would be to host the guest portal on the corporate cluster and use the "guest cluster" as an external database. This would avoid managing guest account at two different location but would require to duplicate the web portal, not ideal...

Re: Radius proxy for guest

Jason Kunst — Wed, 25 Jul 2018 17:23:16 GMT

You can point the guest portal on one system to the other using RADIUS token server as an external identity source
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_D0680D3739BF4663858342896759A10A

Re: Radius proxy for guest

Jason Kunst — Wed, 25 Jul 2018 17:24:20 GMT

Why wouldn't you just setup the wired deployment to use its on portal and database? It sounds like wired users would be logging into the CWA portal with their internal credentials?

Re: Radius proxy for guest

jdal — Wed, 25 Jul 2018 17:30:21 GMT

They are planning on heavily customising the portal. What you propose means duplicated work (and duplicated guest database).
In this case, they also want to provide wired access to genuine guest (contractors).
A contractor should be able to use both the wifi and wired infra with the same credential...

Re: Radius proxy for guest

jdal — Wed, 25 Jul 2018 17:31:19 GMT

Yes, this was the alternative I was mentioning. Should I deduce we wouldn't support RADIUS proxy in this case?

Re: Radius proxy for guest

Jason Kunst — Wed, 25 Jul 2018 17:45:57 GMT

Seems like complicating things having 2 separate deployments then? Or maybe its for security?

The proper way to point is using RADIUS token. What does RADIUS proxy give you, not sure why i understand the difference as a problem?

Re: Radius proxy for guest

jdal — Thu, 26 Jul 2018 09:25:27 GMT

The two different deployments is simply due to administrative reason. They have one team managing wifi and another one for wired... There is no way we will manage to push a single deployment in their case!

What I was hoping to achieve with RADIUS proxy is to redirect wired guest users to the web portal hosted on the wifi cluster. That way, they would only have to maintain the portal in a single cluster. Since that doesn't seem to be possible, I'll propose the alternative.

Thx

Re: Radius proxy for guest

Jason Kunst — Thu, 26 Jul 2018 11:06:24 GMT

Ok right. You can’t have one radius server hosting wired dot1x and another handling MAB for guest CWA. The ISE server servicing the wired side would also need to host the portal since we rely on radius session for the control plane.

So the solutions are
Option 1 you are going with:
wired deployment CWA would have to call the guest database in other deployment via RADIUS token
1 database of guest
Portal for wired
Portal for wireless
Enhancement request (reach out to the ISE product managers) requirement to export guest portal settings and customization from one deployment to import on another

Option 2:
Or have 1 deployment servicing it all

Re: Radius proxy for guest

jdal — Thu, 26 Jul 2018 11:28:41 GMT

Thanks for confirming, that's what I've already communicated to the customer.

I knew the sessionId could be the issue but I was not sure where it would be generated. I thought we could simply proxy the MAB request from the wired cluster to the guest cluster that would then generate a sessionId as well and return the corresponding redirect URL.