topic Re: Guest access using a different domain in Network Access Control

Guest access using a different domain

dgaikwad — Fri, 29 Jan 2021 07:16:48 GMT

Hi Experts,

Setup:
Two node setup Primary and Secondary
Two domains, abc.com (internal, where AD resides) and xyz.com (public domain, where websites are hosted)

Issue:
Setup a guest portal using public domain certificates
Is this possible, can I have all guest portal using xyz.com. when nodes are running on abc.com?

Any suggestions appreciated!

Re: Guest access using a different domain

Karsten Iwen — Fri, 29 Jan 2021 08:01:42 GMT

That is not only possible, it is also the right way to do it. Your guests should never be presented an internal certificate.

Re: Guest access using a different domain

Arne Bier — Tue, 02 Feb 2021 20:42:33 GMT

Hi @dgaikwad

As @Karsten Iwen rightly mentioned, separate DNS domains are the way to do it.

Back in the day we may have recommended .local or .net as domains with which to build your ISE nodes - but these TLDs are now sold and should be avoided.

The current best practice is to use your registered domain, and put your servers in a sub-domain. e.g. you might own acme.com and your guest portal might end up being guest.acme.com, whose IP address resolves to a load balancer perhaps. But the ISE PSN nodes on which the ISE Guest portals resides have DNS domains e.g. it.acme.com - and if you had say two PSN's doing guest, and if you didn't have a load balancer, then your ISE Policy results would have to return the FQDNs of the two PSNs - guest1.acme.com and guest2.acme.com - notice that I didn't use it.acme.com because that is the internal DNS domain of the ISE nodes (as seen on the CLI and on the https admin URL). The trick is to use DNS CNAMEs to link guest1.acme.com -> ise01.it.acme.com and guest2.acme.com -> ise02.it.acme.com - the Guest portal certificate only mentions either *.acme.com or the guest1.acme.com and guest2.acme.com