topic Re: Can we use different interface(non-management interface) on ISE for web-logon portal in Network Access Control

Can we use different interface(non-management interface) on ISE for web-logon portal

lnorman — Wed, 29 Mar 2017 17:19:12 GMT

Can we use different interface(non-management interface) on ISE for web-logon portal?

Customer is now setting up ISE2.2 for their environment (for dot1x / Webauth with switches)… .. They are using single IP-address ( management VLAN) -which is not accessible from user vlan.

They would like to set up web-auth in their environment and wants to know if they could use a different interface in ISE (in User VLAN subnet) to terminate web-auth portal requests instead of using management IP for web-auth.

I believe they could do following steps.. Can you please let me know if this will work?

1) Configure different interface in USER VLAN Subnet

a. If Gig0 Management VLAN

b. Gig1 USER VLAN

2) Configure Redirect

If MAB fails ISE will send access-accept with following information to NAD. Use the Gig1 IP / Port number in this response

https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&portal=<PortalID>&action=cwa.

Page 539/1236- admin guide http://www1.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22.pdf

This MAB failure resolves to the restricted network profile and returns the url-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an authorization policy exists and features the appropriate wired or wireless MAB (under compound conditions) and, optionally, “Session:Posture Status=Unknown” conditions. The NAD uses this value to redirect all guest HTTPS traffic on the default port 8443 to the url-redirect value. The standard URL value in this case is: https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&portal=<PortalID>&action=cwa.

3) Configure the “allowed interfaces” in “Portal settings” page to “Gig1”

From the admin guide it appears like we can set up

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_011100.html

Re: Can we use different interface(non-management interface) on ISE for web-logon portal

Jason Kunst — Wed, 29 Mar 2017 17:39:13 GMT

Under portal settings for guest (web auth) portal you simply change the port/interface that its running on.

Check this out

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1496

Step 5

Update the default values for ports, Ethernet interfaces, certificate group tags, endpoint identity groups, and so on in Portal Settings, and define behavior that applies to the overall portal.

This maybe an interface sitting in your DMZ, the interface needs to be accessible to your guest or employees using web auth, it doesn’t need to be in the same network.

You don’t need to manually configure the redirect, its automatic, you can check the wireless guest setup guide for the basics on how it works

https://communities.cisco.com/docs/DOC-68169

Unless you have special configuration, you need static mapping

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

Re: Can we use different interface(non-management interface) on ISE for web-logon portal

Craig Hyps — Wed, 29 Mar 2017 23:16:13 GMT

You will also need to setup an alias (ip host) on the CLI so that the returned redirect sends FQDN specific to secondary interface. Certs will need to have the FQDN assigned to interface in its SAN, else use wildcard, if sharing certs across PSNs. Also need to config default routing to ensure symmetric traffic flows.

I cover use of secondary interfaces in Cisco Live BRKSEC-3699 session (the reference presentation). May want to look at version from 2016 as I started to clean out some content in 2017.

Craig