topic Re: ISE guest redirect in Network Security

ISE guest redirect

shaikh.zaid22 — Mon, 04 Jul 2022 16:05:41 GMT

Hi,

I am implementing Guest wireless nw via Cisco ISE, wherein am utilizing the sponsor page registration for the Guest users.

Now my question is for the Portal certificate can i use an ip based certificate instead of Fqdn ? Since i do not want the fqdn to get resolved via our internal DNS server. Instead using an ip based certificate which gets redirected on Guests Users mobiles/Pcs.

Thanks

Re: ISE guest redirect

Mohammed al Baqari — Tue, 05 Jul 2022 09:43:31 GMT

Hi,

You can use FQDN in the CN and IP address in SAN names. This way you are
covered.

***** please remember to rate useful posts

Re: ISE guest redirect

shaikh.zaid22 — Tue, 05 Jul 2022 09:49:51 GMT

Thanks Mohammed for the reply.

DO you mean while generating the CSR. The fqdn will be under CN and ip address wil be under SAN ?

Re: ISE guest redirect

Mohammed al Baqari — Tue, 05 Jul 2022 10:27:31 GMT

Yes that is correct.

**** please remember to rate useful posts

Re: ISE guest redirect

Aref Alsouqi — Tue, 05 Jul 2022 11:11:47 GMT

One thing important to keep in mind when it comes to the sponsor portal is that there is a redirection that would happen in the background to the admin portal before the session is redirected to the sponsor portal. Essentially, you will be presented by two certificates, the first will be the admin certificate, and the second will be the sponsor portal certificate. This means that the sponsor portal FQDN and the IP address details should be added to the admin certificate, as well as to the sponsor portal certificate.

Re: ISE guest redirect

Mohammed al Baqari — Tue, 05 Jul 2022 11:22:31 GMT

Hi Aref,

I don't think this is needed if you hit the sponsor portal directly. I will
be grateful, if you can share a doc for this as it's new to me.

**** please remember to rate useful posts

Re: ISE guest redirect

Aref Alsouqi — Tue, 05 Jul 2022 11:38:00 GMT

Hi Mohammed, unfortunately I don't have any Cisco doc at handy on this, but I ran into this issue personally before I learned this behaviour and I could prove it by doing the sessions inspections where I could actually see the admin certificate presented before the sponsor portal certificate is presented.

Re: ISE guest redirect

Aref Alsouqi — Tue, 05 Jul 2022 11:42:32 GMT

Doing a quick search online I found this Mohammed, it is kinda talking about same behaviour:

Cisco Bug: CSCut16630 - ISE : https to sponsor portal using Admin cert not sponsor cert

Re: ISE guest redirect

shaikh.zaid22 — Fri, 08 Jul 2022 10:55:04 GMT

Hi,

at last we solved the redirect issue, by configuring a DNS doctoring( Translate DNS replies in AUTO NAT in FTD).

This way we published the fqdn with a public ip on public dns and internally via Auto Nat and ACL we controlled the traffic.

hence the guest resolves the fqdn through public dns and when the traffic comes back to the FTD fw, Auto Nat transplate the DNS replies to the ISE guest ip add.