cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

137
Views
0
Helpful
6
Replies
Highlighted
Participant

Client Provisioning Portal FQDN

ISE 2.3 patch 5

 

I have a question on the client provisioning portal FQDN setting. I have three PSN nodes (2 in one data center and 1 in another data center). Now if I create DNS A records for the CPP portal to point to the 3 psn nodes like this:

posture.ise.com psn1-ip-address

posture.ise.com psn2-ip-address

posture.ise.com psn3-ip-address

And then let my DNS server take care of the load-balancing, will it cause a problem where a user is initially authenticated to say psn1, but when wanting to do posture, dns resolves to psn2 and send user to psn2 to do posture piece?

Specifically I am referring to scenario in dual ssid byod with temporal agent, where user authenticates to the secure ssid and goes to psn1, but when they need to do posture check and enter posture.ise.com in browser dns resolves it to psn2 - would this cause a problem?

6 REPLIES 6
VIP Advisor

Re: Client Provisioning Portal FQDN

Hi

 

With portals in ISE, you must ensure that the server that is responding to the user is always the same as the first one due to  session id.

 

You have 2 designs to accomplish that:

 - use a load balancer with a unique fqdn and it will ensure to maintain the session straight to the same psn.

 - use anycast design. attach the portal to a dedicated interface and setup the same ip on all your PSNs, afterwards it's just routing play. In terms of DNS, you will only 1 fqdn matching 1 IP and ensure that users are getting redirected always to the same server where session id belongs to.

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: Client Provisioning Portal FQDN

I won't be able to use either of these options in the current network. I am just having a lot of difficulty in terms of user experience to get redirected for posturing for temporal agent. The issue is when a user enters a url, the browser doesn't seem to honour the redirect and instead shows "This site can't be reached". They need to try multiple sites and/or open new browser tabs/windows and hit a few urls until the browser decided to honour the redirect and load the posturing portal.

 

Cisco Employee

Re: Client Provisioning Portal FQDN

Tips:
Make sure DNS is working properly.
Don't redirect with https.
Use enroll.cisco.com
Make sure there is a valid certificate on ise portal.
Use Anyconnect for devices always needing to posture
All else fails contact the TAC
Participant

Re: Client Provisioning Portal FQDN

Hi Jason,

The first 4 points I have confirmed. When you say "Use enroll.cisco.com" do
you mean this is the url that clients should try in their browser when they
need to posture using temporal agent so they can be directed?
Cisco Employee

Re: Client Provisioning Portal FQDN

You’re correct, enroll.cisco.com can be the only site you redirect on to trigger the portal redirection to the temporal agent on the posture CPP portal
Beginner

Re: Client Provisioning Portal FQDN

If you have a read over BRKSEC-3699, it says you don't need a load balancer for redirect URL web services like posturing.

"PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL. "

So my understanding is if you're already load balancing RADIUS, the redirect-URL will automatically point it back to the same PSN RADIUS was received on.

 

But if you're doing Sponsored portal or MyDevices portal the Sponsored Admins won't be redirected by RADIUS so that will require a load balancer VIP or AnyCast.