04-15-2019 06:17 AM
Hello, I have a 2 node deployment and I'm trying to redirect to a custom URL for the guest portal. I'm doing this by check the check box for static redirection in the authz profile. When that's configured redirection isn't working all the time. Clients are sometimes are getting an error 400 with a message stating that that the radius server terminated the session. How can this be fixed please. I have ISE 2.4 with patch 6 installed.
Solved! Go to Solution.
04-15-2019 08:16 AM
Since it is an intermittent issue, I recommend working with the TAC to troubleshoot further.
Regards,
-Tim
04-16-2019 02:49 PM
You need two of these AuthZ profiles. One returning a static FQDN for ise01 and one returing static FQDN for ise02
Remember that each PSN gets the same programming from the PAN. So to make the PSN "self-aware" you need to create a AuthZ Policy Set Authorization rule as such (the ISE hostname is typically the Gig0 hostname or if the portal is running on another interface you can alias the hostname too)
04-15-2019 08:16 AM
Since it is an intermittent issue, I recommend working with the TAC to troubleshoot further.
Regards,
-Tim
04-15-2019 02:52 PM
can you share a screenshot of your AuthZ Rules and results? Do you test which PSN is processing the radius request and then return the appropriate Authorization profiles?
What do the DNS entries look like for the FQDNs in those Authorization Profiles?
04-15-2019 04:00 PM
04-16-2019 02:49 PM
You need two of these AuthZ profiles. One returning a static FQDN for ise01 and one returing static FQDN for ise02
Remember that each PSN gets the same programming from the PAN. So to make the PSN "self-aware" you need to create a AuthZ Policy Set Authorization rule as such (the ISE hostname is typically the Gig0 hostname or if the portal is running on another interface you can alias the hostname too)
04-16-2019 03:18 PM
This was the solution. I had to create Authz policies for each ISE node calling their hostname. Now this caused a cert warning since I'm redirecting to the IP and it's not on the cert. I'm asking now if I can add the IPs to the SAN entries. Is there another way around this or we must update the cert?
04-16-2019 09:29 PM
You should be redirecting to the FDQN instead. Of course this presumes that you have those FQDNs in your DNS :-)
Redirecting to an IP is not ideal - would look a bit suspect in the client's browser :-( - and adding them to cert would fix it but it's just compounding the issue.
rather add DNS entries for each ISE node, and then add the DNS entries in the SAN of the cert. You can re-use the same cert on both ISE nodes (or create one per PSN - but doesn't matter which option - if it comes from a public CA then one cert containing two SAN entries will be cheaper than buying two separate certs). A wildcard cert would also work, but those are more expensive.
04-16-2019 09:41 PM
I actually have installed a wildcard cert. I will try to forward to the fqdn instead.
04-17-2019 09:00 AM
Hi Arne, should it be 2 different dns records for each node guest portal and reference those in the static redirection box?
04-17-2019 10:59 AM
If you are using the actual FQDNs of the ISE PSNs in the guest redirect URL you only need one redirect rule as ISE automatically puts the FQDN of the node in the URL. If you are hiding the real FQDNs with names like guest1.mycompany.com and guest2.mycompany.com then you will need DNS entries for each PSN with the fake names and you will need a rule for each PSN that redirects to the fake name, i.e. if authenticated by PSN1 then redirect to guest1.mycompany.com.
04-17-2019 11:49 AM
04-17-2019 11:54 AM
Here you go. Just match on the hostname only not the FQDN:
04-17-2019 12:09 PM
04-23-2019 12:49 PM
Hello after redirecting the 2 different A records, it worked for couple days and then we got the error 400 again. Any other suggestions you recommend me trying?
02-01-2024 05:04 AM
We are having this same issue, did you have any progress? (We have an open TAC case)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide