topic Re: ISE Portals in Network Access Control

ISE Portals

KevinR99 — Mon, 10 Oct 2022 16:00:29 GMT

Before I start describing my issues can someone conform I can do the following.

I want to enable 2 Guest portals on ISE but host them on different interfaces. So, for example, a sponsored portal for day to day visitors. I want to enable that on G1 which I have assigned an IP address to and on any port, let's say 8999. I then want to enable a second portal for trusted contractors on G2 and have them use the self registered portal. So I put an IP address on G2 and use port 8888. The ports are arbitrary. I then create 2 SSIDs and point them to ISE. Based on the Called-Station-ID I either send them to an authorization rule for the portal on G1 or the one on G2. The users will be in the same subnet as the portal they should go to so no routing issues. So is this a supported method? I don't see why it wouldn't be.

Usually I can get one portal working. Then as soon as I try to get the second one working I get all sorts of issues with redirection failing. Not sure if this is a valid troubleshooting step but when I go the the ISE CLI and look for ports 8999 and 8888 with "show ports" I sometimes see them attached to the wrong IP address. Sometimes I see the port attached to the Gig0 address. What I also noticed is when I first boot up the ISE and try to connect to a previously working portal it fails. If I then edit the portal and simply change its port it kicks into life.

The next issue I get is when I have a portal working I usually test with Windows and Android to start with. This works. However, when I try an iPhone or iPad redirection doesn't kick in. I have found a few references to issues with ISE3.1 and the Apple mini-browser but I tried workarounds such as adding some script to the optional content 2 area of the portal or by selecting Captive Portal bypass in the global parameter map of my Cat9800. Neither seem to work. So considering most of my Guests will be unknown devices and a great many of them will be Apple of some sort I can't roll this out until I get a stable working portal on all types of clients.

Any help would be greatly appreciated, Kev.

Re: ISE Portals

Arne Bier — Fri, 14 Oct 2022 05:39:02 GMT

Hi Kev,

By any chance, are you running the portal on a node that is also acting as the PAN? Or is this a dedicated PSN?

Re: ISE Portals

KevinR99 — Fri, 14 Oct 2022 09:23:19 GMT

Arne

This is a standalone node I am testing on.

Thanks, Kev.

Re: ISE Portals

poongarg — Fri, 14 Oct 2022 10:08:37 GMT

ISE allows you to enable different interfaces that will be only used for guest users traffic.

-The guest portal redirects to FQDN and configured port. Have you configured the FQDN per ip address on the ISE.

For CWA using a particular interface, please refer this: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/cli_ref_guide/b_ise_CLIReferenceGuide_20/Cisco_ISE_CLI_Commands_in_Configuration_Mode.html#wp5773065010.

You need to configure the ip host [host alias/fqdn] command on ISE and then restart the ISE service to set the interface for CWA.

-Else try by replacing the FQDN with ip address in the browser while trying to access the portal.

-Make sure to map the correct certificate on the portal as well.

Re: ISE Portals

KevinR99 — Sun, 16 Oct 2022 10:44:49 GMT

Poongarg

Thank you for your reply. I have done all of the suggestions in your response. The main issue is that the portal fails to respond frequently. Usually on 1st boot but sometimes after changing portal settings. When I put a wired device on the same subnet and try to connect to telnet to the portal on its port the ISE rejects the connection with a tcp reset. All I need to do to get it to work is simply change the portal port and wait a few minutes.

The Apple issue I had has been resolved with a WLC upgrade but I can't find any bug related to the code I was using. To be honest I'm not spending more time on that. I have a working version with redirection happening correctly on all my devices apart from occasionally needing to change the portal port.

Kev.

Re: ISE Portals

KelvinT — Thu, 08 Dec 2022 16:34:58 GMT

Hello Kev,

Thanks for your post.

What version your WLC was on before the upgrade and what did you upgrade to that fixed it?

Thanks again Kev.

Re: ISE Portals

hslai — Sat, 10 Dec 2022 21:11:45 GMT

@KelvinT If WLC is 9800, possibly CSCvz93375, which affecting IOS-XE 17.6.1.

Re: ISE Portals

KevinR99 — Sun, 11 Dec 2022 09:29:05 GMT

Thanks for that. I was running 17.5.1 when I saw the problem and now run 17.7.1

That bug looks to be the problem.

I appreciate your input, Kev.