topic Allow ISE captive portal DNS entry on outside DNS. in Network Access Control

Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Wed, 08 Nov 2023 18:19:56 GMT

Hello,

We are having ISE for EAP/TACACS authentication and, hosted internally in our datacenter.

Now we have configured BYOD captive portal that tied to AZURE SAML authentication, the current captive portal redirect URL from ISE has prepended the node name of ISE server within the URL. However, our requirements are to use external DNS servers for this particular scenario in which captive portal URL resolve to internal IP by external DNS server as well the captive portal will use different hostname and domain name. I would like to know what steps we need to follow to achieve the same goal.

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Wed, 08 Nov 2023 20:00:26 GMT

Hello @kshah2589

It's permitted to assign a private IPv4 address (which I assume you're using on your ISE Eth interfaces) to a public DNS A record.

I assume your BYOD clients are also getting a private IPv4 address when on-prem?

If so, then this allows the DNS A record to be in the public DNS domain, and when resolved, allow the client to establish the TCP connection to the ISE's web server.

The ISE Authorization Profile for the portal redirection should then set your desired static FQDN instead of using the FQDN assigned to the node when it was built.

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Wed, 08 Nov 2023 21:42:29 GMT

Thanks, Arne Bier, for your suggestion.

1). We have assigned Private IP addresses from 10.x.x.x range to our ISE nodes. we have also separate VLAN for BYOD devices which using private IP addresses from 10.x.x.x range when on prem connect to SSID.

2). Do you want me to set desired FQDN as below in authorization profile, am I correct?

3). We have 2 ISE nodes in our environment Primary/Secondary and want to make sure do we need to make any additional changes once we put static FQDN? Also, FQDN will be resolve to what IP addresses, [Primary, Secondary, Both] by DNS?

4). Currently, the user has to manually trust the cert because we are using self-signed certificate but in future, we want use public cert issued by certificate authority so user don't have to manually trust the cert, what details should we include creating Certificate Signing Request - static FQDN or both ISE node name?

Let me know if you have any additional suggestions.

Regards,

Kunal

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Wed, 08 Nov 2023 22:30:40 GMT

Yes - you set the static FQDN where you indicated. ISE will then insert that FQDN in the https URL redirection string.

Which brings us to your HA question. The solution is surprisingly simple (it's been discussed a few times in the Community with screenshots too). You will need two Result Authorization Profiles

AuthZ_1 = where the Static FQDN is portal1.mycompany.com
AuthZ_2 = where the Static FQDN is portal2.mycompany.com

In the RADIUS Policy Set, during MAB Authorization, you have two Rules - each one checks the ISE Hostname and then returns the corresponding AuthZ above.

Let's assume your ISE nodes are called

ise1.network.local
ise2.network.local

then the Authorization Rule would check for Hostname EQUALS "ise1" then return AuthZ_1, etc.

Of course, to avoid browser certificate warnings, the Portal certificate must be one of either:

Wildcard cert (*.mycompany.com in the Subject Alternative Name) or a multi-SAN cert that contains

DNS SAN 1 = portal1.mycompany.com
DNS SAN 2 = portal2.mycompany.com

The multi-SAN certs are typically more reasonably priced than wildcard certs. But if you already have a wildcard cert, then you can use that.

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Thu, 09 Nov 2023 15:16:49 GMT

Thank you for detailed explanation and really appreciate your help.

1). We are looking for single captive portal URL instead of two, which resolves to ise1 for our east coast users and for west coast users it resolves to ise2 and in case if ise1 is not available it fall back to ise2 and vice versa. Is that something possible?

2). you did mention about solution discussed in community; do you have reference where I can look those screenshots?

Regards,

Kunal

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Fri, 10 Nov 2023 03:00:03 GMT

Hi Kunal,

You will still have a single captive portal. What I am describing with the two Results Profiles and AuthZ Rules, is simply to let the right ISE node return its own Portal URL. If you don't do it like this, then you have to use a load balancer, and send the WLC's RADIUS traffic to the load balancer, and not to ISE1 & ISE2. I assume load balancer is out of the question for you?

Remember that ISE RADIUS servers do not provide any redundancy on their own, since that is not their responsibility. ISE nodes (or PSNs - Policy Service Nodes) all get the same RADIUS Policy Set programming - so they are identical from that perspective. They only differ in their hostnames (as seen on the ISE CLI - e.g. ise1.company.internal and ise2.company.internal)

The HA responsibility is on the NAS/NAD. So WLC will have Primary RADIUS and Secondary RADIUS IPs configured. That's it.

And with my explanation in the previous post, each ISE node that the WLC hits, will cause the correct ISE node to return its own URL to the client. Because that is what clients need - they only care about the final URL and then build a TCP connection. You can't build a TCP connection to an ISE node that is not expecting it - each session created a unique URL.

I can't find many of my early postings in this Community. I grabbed this from the lab. This is guest portal, but same logic applies to other portal types involving redirection.

Create two Authorization Profiles - take note of the static FQDN

Then create the Authorization in the MAB Policy Set

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Fri, 10 Nov 2023 17:38:41 GMT

Thank you so much Arne Bier for sharing the screen shots and detailed explanation.

1). We don't have a load balancer in our environment so will follow the steps you described in the post and also, we need to create two public DNS records one for each FQDN like portal1.mycompany.com - 10.x.x.1 and portal2.mycompany.com - 10.x.x.2, am I correct?

Regards,

Kunal

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Fri, 10 Nov 2023 20:04:50 GMT

Yes. And what about your portal certificate? What does the Subject Common Name and Subject Alternative Names contain?

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Fri, 10 Nov 2023 20:44:48 GMT

Thanks for quick reply.

1). most probably we will generate single CSR that contains both the node with following subject alternative name.

DNS SAN 1 = portal1.mycompany.com
DNS SAN 2 = portal2.mycompany.com

I am still not sure about subject common name, what's your recommendation?

2). I was researching on certificate topic, the document mentioned about group tag for portal use, what's that and what else we need to keep in mind to set it up correctly to avoid browser certificate error.

Regard,

Kunal Shah

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Fri, 10 Nov 2023 22:15:45 GMT

One CSR for both nodes is fine. For the Subject you can put pretty much anything you like because the presence of SAN DNS overrides the Subject CN. I would simply make Subject CN = portal.mycompany.com

When you create a CSR for a Portal, ISE wants you to choose a label/tag for this cert - so that later on, when you create your portal, you can select that tag in the Portal config. You can have many portals with different certificates - just give it a name like "BYOD Portal" or something that relates to the certificate's function.

I'm pretty sure that when you select both ISE nodes in the CSR creation process, the output will be a single CSR file that you give to the public CA to sign. If you should mess up the CSR part, it doesn't matter - you can delete it and try again. After submitting to the CA, you should get back a single certificate that contains both SAN entries. The cert will be identical on both nodes. I think ISE takes care to copy the cert to both nodes during the bind. I don't recall. it's been a while since I did a multi-node CSR. I tend to always make it for one node only. In the worst case, create it for one ISE node, and then export that cert with the private key, and import it into ISE node 2. But I don't think it will come to that.

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Sun, 12 Nov 2023 17:17:19 GMT

Thank you so much for taking the time to explain the entire process, will follow all instructions as we discussed. will let you know if need any further assistance.

Regards,

Kunal

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Wed, 15 Nov 2023 20:38:22 GMT

Hello Aren Bier,

I am getting warning message when putting CN value as well as both SAN value that Certificate contains non resolvable Common Name / SAN Values 'portal.mycompany.com'. Please confirm still you want to proceed.

Should I proceed with that?

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Wed, 15 Nov 2023 22:14:43 GMT

Hi @kshah2589

Yeah - that would have been useful if there was no SAN entry. But since there is a SAN, you're good. Anyway, web browsers always check to see if a SAN entry is available. If not, then they compare the FQDN to the Subject CN.

I don't think ISE should have this check, because you can legitimately create a CSR for an FQDN that you are still in the process of creating - e.g. you might be forced to create the CSR before you had a chance to create the DNS entry.

ISE wants to be helpful - but IMHO it just causes unnecessary doubt

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Wed, 15 Nov 2023 22:37:09 GMT

Thank you so much for explain. I will ignore the warning and go ahead to create CSR.

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Fri, 17 Nov 2023 14:19:35 GMT

Hello Aren Bier,

While generating CSR for "Portal", I select both ISE node and insert SAN1 and SAN2, as a result ISE created 2 PEM file one for each node and each PEM file has both SAN values, does that look correct? because when we did same thing for "EAP Authentication" it generated only one PEM file which contains both SAN value.

Let me know your thoughts.

Regards,

Kunal Shah

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Sun, 19 Nov 2023 20:38:34 GMT

I just tried this in the lab and had to remind myself of the process 🙂 In ISE 3.2 I always get 2 CSRs if I tick both node boxes for EAP or Portal cert. Since we only want to create ONE portal cert, we can't tick both boxes.

You must always at least one node. But you do not have to tick all of them. By putting a tick in the box, you're essentially telling ISE where to the private key during the CSR creation. So here's my advice for the portal cert CSR:

Tick only one of the node tick boxes (doesn't matter which one)

In the Common Name (CN) field, remove the $FQDN and type in something like portal.mycompany.com (it doesn't have to be a valid FQDN). If it makes you feel better, pick a valid FQDN here (e.g. portal1.mycompany.com) - but it's not required.

Enter all the rest of the fields, and ensure the SAN contains DNS:portal1.mycompany.com and DNS:portal2.mycompany.com.

Export the single CSR and get it signed by CA. Then bind the cert back to this CSR. You will have only one ISE node with the portal cert. You then export that cert with its private key, and import it into the other ISE node. When ISE asks for a password, you can make up any password you like - its only purpose is to protect the private key during export/import stage.

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Mon, 20 Nov 2023 14:04:45 GMT

Thank you so much for getting back to me. we are running ISE version 3.0.0.458 and not ISE 3.2, do you still recommend me to follow the same steps as you mentioned above because when we did same thing for "EAP Authentication" couple of days back it generated only one CSR(PEM file) which contains both SAN value?

Regards,

Kunal

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Mon, 20 Nov 2023 20:17:36 GMT

I would still use the same method I outline above, to create the portal certificate.

I am pretty sure that even in ISE 3.0, if you create a CSR for EAP, and tick both ISE nodes, then it will create two certs. The SAN for EAP certs is not important - I always put a DNS SAN, but I think the software that drives EAP clients and supplicants only looks at the Subject CN (if asked to validate the "server name")

Re: Allow ISE captive portal DNS entry on outside DNS.

kshah2589 — Tue, 21 Nov 2023 15:01:34 GMT

Thanks Arne Bier, I will follow the same steps as outlined above for portal cert.

I have confusion with EAP authentication certificate, you mean the supplicant software doesn't look SAN and only look for subject CN? if it's like that then we need to generate second CSR and send it to CA or export that cert with its private key, and import it into the other ISE node will work?

Re: Allow ISE captive portal DNS entry on outside DNS.

Arne Bier — Tue, 21 Nov 2023 19:59:52 GMT

You won't need another cert for the ISE EAP function. 802.1X supplicants do not inspect the SAN entry of the Server Certificate. They might look at the Subject Common Name if told to do so (in Windows native supplicant there is a text entry box, in which you can enter a string, which is the Subject Common Name that you expect the Server to have) - supplicants mostly care about whether or not they cryptographically trust the server with whom they are communicating. This means, having the necessary Root CA and intermediate CA certs on the supplicant is usually all that matters.