topic In workaround 1, you can in Network Access Control

CSCus64320 - CWA Redirect uses IP instead of FQDN for non gig0 intf for guest portal

mstraessle — Mon, 11 Mar 2019 06:01:04 GMT

Hi Community

I walked around this bug, but was not able to find the real reason and solution for it. The setup is like this:

=== PRIMARY HOST:

Int Gig 0
ip addr 1.1.1.1/24

Int Gig 1
ip addr 2.2.2.2/24

FQDN: ise1-gig0.adm-abc.com

default Gateway 2.2.2.1

=== SECONDARY HOST

Int Gig 0
ip addr 1.1.1.2/24

Int Gig 1
ip addr 2.2.2.3/24

FQDN: ise2-gig0.adm-abc.com

default Gateway 2.2.2.1

The sync and management traffic is using gig 0 with cert using the FQDN's. Guest Portal is active in Int gig 1 with special certificates (SAN) for FQDN on Gig1 (ise1-gig1.abc.com and is-gig1.abc.com).

DNS is resolvable for both interfaces on both host's. So why should I use the ip-host?

Fact is in this setup (ISE 1.4 with Patch3), the redirect url for CWA is always sent using the ip address instead of the FQDN, which ends up in a certificate error.

I found two workaround, but both not make me happy:

Workaournd 1:
Use static FQDN in the redirect: ise1-gig1-abc.com
This wordks good as long as PRIMARY Host is available. If primary host is down, clients are redirected into a black-hole... 😞

Workaround 2:
Use IP Addresses in the SAN field. This would probably work, but the Certificate Authority does not allow me to do so... 😞

Any suggestions, or experiences with such a use-case? Many thanks for any help or input.

In workaround 1, you can

jan.nielsen — Tue, 01 Sep 2015 16:25:39 GMT

In workaround 1, you can create two authz rules for your redirect instead of just one, with different fqdn's in the authz result, one for each ise server. Then use the condition for the two different ise server names, which will be filled with either the primary or secondary, depending on which one received the radius request from your wireless controller.

Hi JanThis is a great idea. I

mstraessle — Tue, 01 Sep 2015 20:34:36 GMT

Hi Jan

This is a great idea. I will try next week and give feedback if it worked like this. But I think yes. Anyhow, it is still a workaround. What is the correct solution, if there is any?

I'm not sure if there is an

jan.nielsen — Tue, 01 Sep 2015 20:52:43 GMT

I'm not sure if there is an actual solution, if it's a bug then obviously the solution is for Cisco to fix it, in older versions of ise (pre-1.3) i did this with no problems, at one customer, so it has not always been like in 1.4, which might give credit to the bug theory. One thing i was thinking about. but I can't remember if there is an "interface" select menu for different ports, like there was in 1.2, if there is maybe that is how ISE gets confused as to which interface you want to use for guest.