https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429676#M539004 <HTML><HEAD></HEAD><BODY><P>or possibly the Internet Firewall can inspect client DNS requests and intercept.</P><P></P><P>Thanks George.</P></BODY></HTML> Thu, 28 Apr 2016 19:41:56 GMT joshhunter 2016-04-28T19:41:56Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429670#M538998 <HTML><HEAD></HEAD><BODY><P style="text-align: left;">Hello, is anyone using OpenDNS for their DNS as Guest content filtering with ISE?</P><P style="text-align: left;"></P><P style="text-align: left;">The only problem I envisage is that we want to use a wildcard certificate to prevent certificate warning in browsers.</P><P style="text-align: left;">So this means users need to resolve the DNS name of ISE guest portal to the internal IP as part of the re-direct process.</P></BODY></HTML> Thu, 28 Apr 2016 12:51:37 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429670#M538998 joshhunter 2016-04-28T12:51:37Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429671#M538999 <HTML><HEAD></HEAD><BODY><P>Is there a reason you don't want to publish the ISE guest portal A record to external DNS?&nbsp; </P></BODY></HTML> Thu, 28 Apr 2016 15:48:53 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429671#M538999 gbekmezi-DD 2016-04-28T15:48:53Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429672#M539000 <HTML><HEAD></HEAD><BODY><P>Hi George, I have had a look at OpenDNS free package and there does not appear to be a way to add an A record.</P><P>Have you any information on this?</P><P></P><P>I want the benefits of content filtering the guest using OpenDNS but for the ability to resolve the ISE Guest Portal IP.</P></BODY></HTML> Thu, 28 Apr 2016 15:59:29 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429672#M539000 joshhunter 2016-04-28T15:59:29Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429673#M539001 <HTML><HEAD></HEAD><BODY><P>You still have to publish DNS records using whatever method your organization or your customer's organization does for other records.&nbsp; For example, if my domain is bekmezian.com I go to my DNS configuration (for me it's WebKor) and I add a record for guest.bekmezian.com.&nbsp; Nothing to do in OpenDNS except for ensure you don't Block internal IP addresses (screenshot attached):</P><P></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/94937_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Thu, 28 Apr 2016 16:48:39 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429673#M539001 gbekmezi-DD 2016-04-28T16:48:39Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429674#M539002 <HTML><HEAD></HEAD><BODY><P>Hi George, Are you suggesting you add an 'A record' that maps to a private ip on a public DNS?</P><P></P><P>So, lets say for example I own the domain of <STRONG>isecold.com</STRONG> and I have a wildcard certificate that is allows for <STRONG>*.isecold.com</STRONG></P><P>I would then add a public DNS entry for example for <STRONG>guest.isecold.com</STRONG> to my private IP address (ISE Guest Portal IP).</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">That way my guests can still use opendns and resolve </SPAN><STRONG style="font-size: 10pt; line-height: 1.5em;">guest.isecold.com</STRONG><SPAN style="font-size: 10pt; line-height: 1.5em;"> and SSL certicate would work.</SPAN></P><P></P><P>The only thing that may prevent this is if my Domain/DNS provider would not allow a private IP. </P><P>I've read a few different forums with many suggesting this is bad practice even if you provider does allow it.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 28 Apr 2016 19:10:20 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429674#M539002 joshhunter 2016-04-28T19:10:20Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429675#M539003 <HTML><HEAD></HEAD><BODY><P>That's exactly what I am suggesting Josh.&nbsp; If you know what you are doing and why you are doing it, then you are free to bend rules.&nbsp; If the requirement is "point my guests to opendns" then that is your only option.&nbsp; The other option you could consider is having your guests point to a DNS forwarder in your own network.&nbsp; Then your DNS server could resolve your own domain locally while forwarding all other requests to opendns' name servers.</P><P></P><P>George</P></BODY></HTML> Thu, 28 Apr 2016 19:36:09 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429675#M539003 gbekmezi-DD 2016-04-28T19:36:09Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429676#M539004 <HTML><HEAD></HEAD><BODY><P>or possibly the Internet Firewall can inspect client DNS requests and intercept.</P><P></P><P>Thanks George.</P></BODY></HTML> Thu, 28 Apr 2016 19:41:56 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429676#M539004 joshhunter 2016-04-28T19:41:56Z https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429677#M539005 <HTML><HEAD></HEAD><BODY><P>Worked perfectly George as you suggested.</P><P>Thanks</P></BODY></HTML> Tue, 03 May 2016 23:15:37 GMT https://community.cisco.com/t5/network-access-control/ise-guest-with-opendns/m-p/3429677#M539005 joshhunter 2016-05-03T23:15:37Z