topic ISE CWA pre-authentication and post-authentication and Umbrella DNS in Network Access Control

ISE CWA pre-authentication and post-authentication and Umbrella DNS

drivera_ — Mon, 29 Apr 2019 18:56:20 GMT

Hello, guys

Right now I'm having an issue with a customer. He wants to point his DNS to umbrella but in a Guest Wireless. It sounds that it is easy to do, but the difficult situation I found is that the customer has to point to an internal server because of the internal CA when pre authentication occurs, and point to umbrella DNS when authentication is success. Because of it, we thought that making a change of vlan when post authentication it was a good idea, but we found that only Windows machines behaves good. It was not the same situation for Android and iOS. We considered mounting the umbrella virtual machine for doing this, but he has a license that does not support umbrella VM.

I will appreciate any help you can give me. Thank you in advance.

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

Jason Kunst — Mon, 29 Apr 2019 19:32:17 GMT

Sounds just like this issue. Nothing to do with an internal CA, its that your ISE needs to resolve using internal DNS as its an internal service

https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-dns/td-p/3734037

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

drivera_ — Mon, 29 Apr 2019 20:16:59 GMT

Hi, Jason

Thank you for the answer. I had seen that post before but I'm a little confused because I'm not sure if it is the same issue I'm having, because our pre authetication portal is inside the customer network (obviously) and what we need is that when post authentication occurss, an endpoint have the umbrella for content filter. I hope you can understand me.

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

Jason Kunst — Mon, 29 Apr 2019 21:10:17 GMT

You need to have the umbrella apply DND on pre and post authentication, it would need to resolve your internal service, you can’t switch VLANs. Seems to me to be the same thing. Did you check with umbrella?

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

Rob Ingram — Mon, 29 Apr 2019 22:03:36 GMT

Hi,
Why not build a Linux server to act as a DNS server for the guest network, configure it to only resolve the ISE portal DNS addresses with a forwarder to Umbrella for all other DNS requests. Alternatively if you had an ISR4K router as the default gateway this can transparently intercept DNS requests and forward to Umbrella cloud

HTH

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

drivera_ — Mon, 29 Apr 2019 23:59:56 GMT

Hi, guys

The thing is that when doing the pre authentication we have to resolve the web auth url from inside, because there is no a public DNS register for that url, and the customer does not want to give the web auth with the IP address, instead of that he wants the url to be resolved by DNS. And when doing the post authentication, it is necessary to get the umbrella DNS IP addresses.. We don't know how to do it. I hope you guys can understand me.

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

Jason Kunst — Tue, 30 Apr 2019 10:33:17 GMT

You can’t switch DNS servers. This would require a change of VLAN which is not recommended as there is no mechanism for the client to change its IP without using dot1x

Again as suggested before. You will need to setup DNS to resolve ISE and to also proxy to umbrella. Or umbrella to resolve your internal ISE name

Have you reached out to them for a solution?

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

drivera_ — Tue, 07 May 2019 00:32:40 GMT

Hi Jason,

Thank you for your answer again. Where can I configure that proxy? Is this configuration needs to be made in the L3 router on in the DNS server?. I think you are telling me to do something like this, aren't you? https://www.juniper.net/documentation/en_US/junos/topics/concept/dns-proxy-overview.html

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

Jason Kunst — Tue, 21 May 2019 16:08:49 GMT

Sorry this is not a DNS forum. You would need to discuss overall architecture with umbrella folks.

Re: ISE CWA pre-authentication and post-authentication and Umbrella DNS

drivera_ — Tue, 21 May 2019 16:30:26 GMT

Hi Jason,

I know this is not a DNS forum, but as we all know, DNS is a very important topic in Umbrella. It's ok if you don't have the answer or if you don't want to waste your precious time here, but I think thare are better ways to respond. Thank you again.