https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095104#M560783 <P>Dear Collegues,</P><P>I experiencing very strange situation. First of all, I have 2xISE 2.6 in HA:</P><P><IMG src="https://daveonsecurity.files.wordpress.com/2016/08/cisco-ise-two-node-deployment.png?w=640" border="0" alt="Upgrading Cisco ISE 2.0 to 2.1 in Two-Node Deployment – Dave On ..." /></P><P>I implemented Guest Portal with Sponsor Portal where, Sponsors create account for guest, then guest has limited access to network. Everything working good only where:</P><P>1. In Authorization profile I use static IP mapping for one PSN or FQDN of Guest Portal (where DNS server has only one record A mapping to PSN)</P><P><IMG src="https://integratingit.files.wordpress.com/2020/01/011920_1621_iseguestacc4.png" border="0" /></P><P>&nbsp;</P><P>Please be aware that above screenshot is from official cisco documentation. In my scenerio I have set value: Guest Portal (not Self-Registered Portal)</P><P>&nbsp;</P><P>2. In WLC I have set only one Radius Auth/Acc:</P><P><IMG src="https://wrmem.net/wp-content/uploads/2018/09/Screen-Shot-2018-09-10-at-5.42.29-PM.png" border="0" /></P><P>&nbsp;</P><P>For above configuration (Rest of all configuration I skip because it has not impact for my problem) as I said everything workig good.&nbsp;</P><P>Problem appear where:</P><P>I set in WLC for section AAA Server second PSN and where I set second PSN address IP (record A in DNS Server) for FQDN Guest Portal.</P><P>I think that problem is related with SessionID when ISE transfer authorization profile to guest.</P><P>Guest send request to DNS, and DNS return other IP address of PSN which transfer authorization profile before. So guest trying to reach Guest Portal on PSN which not know about this session.</P><P>How can I resolve the problem ?&nbsp;</P><P>Is it possible to configure Guest Portal where I have 2 PSN ? Or I need LB (for example F5) ?</P><P>&nbsp;</P> Sun, 31 May 2020 14:54:27 GMT mikiNet 2020-05-31T14:54:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095104#M560783 <P>Dear Collegues,</P><P>I experiencing very strange situation. First of all, I have 2xISE 2.6 in HA:</P><P><IMG src="https://daveonsecurity.files.wordpress.com/2016/08/cisco-ise-two-node-deployment.png?w=640" border="0" alt="Upgrading Cisco ISE 2.0 to 2.1 in Two-Node Deployment – Dave On ..." /></P><P>I implemented Guest Portal with Sponsor Portal where, Sponsors create account for guest, then guest has limited access to network. Everything working good only where:</P><P>1. In Authorization profile I use static IP mapping for one PSN or FQDN of Guest Portal (where DNS server has only one record A mapping to PSN)</P><P><IMG src="https://integratingit.files.wordpress.com/2020/01/011920_1621_iseguestacc4.png" border="0" /></P><P>&nbsp;</P><P>Please be aware that above screenshot is from official cisco documentation. In my scenerio I have set value: Guest Portal (not Self-Registered Portal)</P><P>&nbsp;</P><P>2. In WLC I have set only one Radius Auth/Acc:</P><P><IMG src="https://wrmem.net/wp-content/uploads/2018/09/Screen-Shot-2018-09-10-at-5.42.29-PM.png" border="0" /></P><P>&nbsp;</P><P>For above configuration (Rest of all configuration I skip because it has not impact for my problem) as I said everything workig good.&nbsp;</P><P>Problem appear where:</P><P>I set in WLC for section AAA Server second PSN and where I set second PSN address IP (record A in DNS Server) for FQDN Guest Portal.</P><P>I think that problem is related with SessionID when ISE transfer authorization profile to guest.</P><P>Guest send request to DNS, and DNS return other IP address of PSN which transfer authorization profile before. So guest trying to reach Guest Portal on PSN which not know about this session.</P><P>How can I resolve the problem ?&nbsp;</P><P>Is it possible to configure Guest Portal where I have 2 PSN ? Or I need LB (for example F5) ?</P><P>&nbsp;</P> Sun, 31 May 2020 14:54:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095104#M560783 mikiNet 2020-05-31T14:54:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095119#M560786 Hi,<BR />You need to associate the Guest portal with the PSN that authenticated the session, normally in this situation a load balancer would be recommended. You can achieve this without a LB by creating multiple authorisation profiles/rules for each PSN.<BR /><BR />- Create 2 Guest FQDNs for each PSN<BR />- Create 2 authorisation profiles, in the frist profile reference the PSN1 FQDN and in the other reference the PSN2 FQDN<BR />- Create 2 authoration rules, match on condition "Network Access ISE Host Name EQUALS &lt;PSN1&gt;" and reference the PSN1 authorisation profile. Create a second authorisation rule, match on condition match on condition "Network Access ISE Host Name EQUALS &lt;PSN2&gt;" and reference the PSN2 authorisation profile.<BR /><BR />HTH Sun, 31 May 2020 16:21:26 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095119#M560786 Rob Ingram 2020-05-31T16:21:26Z https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095154#M560788 <P>Thanks Rob!! About "<SPAN>Create 2 Guest FQDNs for each PSN" - is it related to create two Guest Portal ? Additionaly, if I must create two DNS record A ? One for PSN1 and other to PSN2 ?&nbsp;</SPAN></P> Sun, 31 May 2020 18:39:23 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-cwa-guest-access-with-sponsor-portal/m-p/4095154#M560788 mikiNet 2020-05-31T18:39:23Z