topic Re: ISE CWA Using Non-Management Interface in Network Access Control

ISE CWA Using Non-Management Interface

Derron Carstensen — Sat, 18 Jun 2016 23:09:25 GMT

I have a dilemma I've run into that I am hoping the community can help with...

I have a customer design I'm working on that requires some ISE PSNs in the public-facing DMZ. Specifically to serve up the CWA page to wireless guest users that are coming from another site. The ISE servers reside virtually in the customer's datacenter. The guest users will be accessing the network from a WLC local to the site. The WLC will send it's RADIUS traffic back to PSN interfaces (let's say G0) via a L2L VPN tunnel to the datacenter server network.

For obvious reasons, we don't want the guest user traffic to traverse the L2L tunnel. The goal is to place some of the guest-serving ISE PSNs in a datacenter DMZ. They will have G0 in a DMZ VLAN that is accessible to the other ISE nodes for inter-ISE communication, while G1 interface will be placed in a DMZ VLAN accessible to the wifi guest users. The Wifi guest users will be coming over the internet and are source NATd.

Thus far everything seems to work except when I assign the CWA portal to G1 it sends the G1 private IP in the redirect URL. My question is this: Can the ISE PSNs/web portal be configured so it sends a custom FQDN for the guest portal? I would like to leverage public DNS and point the guests to the public IP of the ISE guest PSNs (which is then destination NATd for tcp/8443 to the guest G1 interface).

Or is there a way I can use a public IP on the G1 interface but still reside behind a F5 load balancer?

Or am I going about this all wrong and is this unsupported?

Huge TIA for any input/help!

Re: ISE CWA Using Non-Management Interface

gbekmezi-DD — Sun, 19 Jun 2016 02:27:06 GMT

If I understand your problem correctly this should resolve your issue: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/cli_ref_guide/b_ise_CLIReferenceGuide_20/Cisco_ISE_CLI_Commands_in_Configuration_Mode.html#wp5773065010

ip host

To associate a host alias and fully qualified domain name (FQDN) string to an ethernet interface such as eth1, eth2, and eth3 other than eth0, use the ip hostcommand in global configuration mode.

When Cisco ISE processes an authorization profile redirect URL, it replaces the IP address with the FQDN of the Cisco ISE node.

ip host ipv4-address host-alias

To remove the association of host alias and FQDN, use the no form of this command.

no ip host ipv4-address host-alias

You should be able to configure the hostname via the CLI for G1 and then CWA should redirect by providing the correct fqdn.

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Re: ISE CWA Using Non-Management Interface

Derron Carstensen — Sun, 19 Jun 2016 02:33:38 GMT

Yes that was exactly command/capability I was looking for.

Thank you very much George!

Re: ISE CWA Using Non-Management Interface

Jason Kunst — Mon, 20 Jun 2016 15:05:19 GMT

Not sure if this helps you out as well? ISE with Static Redirect for Isolated Guest Networks Configuration Example - Cisco

Re: ISE CWA Using Non-Management Interface

Derron Carstensen — Mon, 20 Jun 2016 16:54:39 GMT

It does Jason, thank you.

Ultimately I was looking for host-alias command as it maintains a scalable/flexible architecture. But my fallback was/is to resort to the static settings you reference.