Client Provisioning Portal FQDN

Madura Malwatte · ‎05-19-2019

ISE 2.3 patch 5

I have a question on the client provisioning portal FQDN setting. I have three PSN nodes (2 in one data center and 1 in another data center). Now if I create DNS A records for the CPP portal to point to the 3 psn nodes like this:

posture.ise.com psn1-ip-address

posture.ise.com psn2-ip-address

posture.ise.com psn3-ip-address

And then let my DNS server take care of the load-balancing, will it cause a problem where a user is initially authenticated to say psn1, but when wanting to do posture, dns resolves to psn2 and send user to psn2 to do posture piece?

Specifically I am referring to scenario in dual ssid byod with temporal agent, where user authenticates to the secure ssid and goes to psn1, but when they need to do posture check and enter posture.ise.com in browser dns resolves it to psn2 - would this cause a problem?

Francesco Molino · ‎05-19-2019

Hi

With portals in ISE, you must ensure that the server that is responding to the user is always the same as the first one due to session id.

You have 2 designs to accomplish that:

- use a load balancer with a unique fqdn and it will ensure to maintain the session straight to the same psn.

- use anycast design. attach the portal to a dedicated interface and setup the same ip on all your PSNs, afterwards it's just routing play. In terms of DNS, you will only 1 fqdn matching 1 IP and ensure that users are getting redirected always to the same server where session id belongs to.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Madura Malwatte · ‎05-20-2019

I won't be able to use either of these options in the current network. I am just having a lot of difficulty in terms of user experience to get redirected for posturing for temporal agent. The issue is when a user enters a url, the browser doesn't seem to honour the redirect and instead shows "This site can't be reached". They need to try multiple sites and/or open new browser tabs/windows and hit a few urls until the browser decided to honour the redirect and load the posturing portal.

Jason Kunst · ‎05-20-2019

Tips:
Make sure DNS is working properly.
Don't redirect with https.
Use enroll.cisco.com
Make sure there is a valid certificate on ise portal.
Use Anyconnect for devices always needing to posture
All else fails contact the TAC

Madura Malwatte · ‎05-20-2019

Hi Jason,

The first 4 points I have confirmed. When you say "Use enroll.cisco.com" do
you mean this is the url that clients should try in their browser when they
need to posture using temporal agent so they can be directed?

Jason Kunst · ‎05-21-2019

You’re correct, enroll.cisco.com can be the only site you redirect on to trigger the portal redirection to the temporal agent on the posture CPP portal

redstar_cccc · ‎05-19-2019

If you have a read over BRKSEC-3699, it says you don't need a load balancer for redirect URL web services like posturing.

"PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL. "

So my understanding is if you're already load balancing RADIUS, the redirect-URL will automatically point it back to the same PSN RADIUS was received on.

But if you're doing Sponsored portal or MyDevices portal the Sponsored Admins won't be redirected by RADIUS so that will require a load balancer VIP or AnyCast.