cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

898
Views
8
Helpful
5
Replies
Highlighted
Contributor

Guest CWA with distributed environment

Hi All,

I have a customer with 2 ISE boxes in a distributed environment. I have created a node group & added both ISE in the group. I have a guest portal configured with a full FQDN for the hostname & would like to do CWA for my guests.My DNS server will resolve the both ISE IP in the nslookup & the client will pickup the IP & search for the url.

If the wireless controller starts the RADIUS session with  ISE-1 & if the client tries for the url in ISE-2, will there be issue with RADIUS communication.

Does the wireless controller & wireless client always communicate with the same ISE server to make the Guest working or does the client session gets replicated among the ISE boxes in the same node group

Regards

Nikhil

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: Guest CWA with distributed environment

By "setting portal FQDN", I am making the assumption that you are referring to the static IP/hostname option under the URL Redirection setting in the Authorization Profile.    If that is the case, then you are forcing the clients to go to a specific target and it is up to DNS, routing, and optionally an LB to get it to the appropriate target.  However, ISE requires that the redirected webauth request be received by same PSN handling the RADIUS session.  If go to PSN1 and user is redirected to PSN2, then webauth will fail as Jason calls out.  There is no session state sharing between ISE PSNs, even if in the same node group.  The node group does however help deal with session recovery when one PSN redirects client and then fails prior to completing web auth session.

Options:

  1. Remove static setting so that clients always get redirected to correct PSN handling RADIUS.  The PSN auto-substitutes its own FQDN in the redirect.
  2. Add logic to the authZ policy such that you match the ISE Server in RADIUS request to a specific AuthZ Profile which has static setting pointing to itself.  This would entail one additional AuthZ Rule and Profile per PSN in this group.
  3. Use a Load Balancer that can intelligently track RADIUS sessions and persist successive web transactions.  This can be done by adding RADIUS Framed IP to the persistence table along with MAC address persistence.  When web request is made, the source IP will match the original Framed IP.  Another option is matching on Session ID in URL.

Craig

5 REPLIES 5
Cisco Employee

Re: Guest CWA with distributed environment

The RADIUS server and guest redirect need to be from the same box.

You can’t setup a FQDN for a guest service in a round robin type fashion like that. You would need a load balancer to front multiple nodes

Also don’t think node groups do anything for guest services.

Advocate

Re: Guest CWA with distributed environment

By "setting portal FQDN", I am making the assumption that you are referring to the static IP/hostname option under the URL Redirection setting in the Authorization Profile.    If that is the case, then you are forcing the clients to go to a specific target and it is up to DNS, routing, and optionally an LB to get it to the appropriate target.  However, ISE requires that the redirected webauth request be received by same PSN handling the RADIUS session.  If go to PSN1 and user is redirected to PSN2, then webauth will fail as Jason calls out.  There is no session state sharing between ISE PSNs, even if in the same node group.  The node group does however help deal with session recovery when one PSN redirects client and then fails prior to completing web auth session.

Options:

  1. Remove static setting so that clients always get redirected to correct PSN handling RADIUS.  The PSN auto-substitutes its own FQDN in the redirect.
  2. Add logic to the authZ policy such that you match the ISE Server in RADIUS request to a specific AuthZ Profile which has static setting pointing to itself.  This would entail one additional AuthZ Rule and Profile per PSN in this group.
  3. Use a Load Balancer that can intelligently track RADIUS sessions and persist successive web transactions.  This can be done by adding RADIUS Framed IP to the persistence table along with MAC address persistence.  When web request is made, the source IP will match the original Framed IP.  Another option is matching on Session ID in URL.

Craig

Cisco Employee

Re: Guest CWA with distributed environment

Contributor

Re: Guest CWA with distributed environment

Thanks Jason & Craig for the help

Cheers

Nikhil

Re: Guest CWA with distributed environment

Hey Craig,

 

Could you elaborate more Load Balancer matching based on Session ID in URL?

We do have setup for Aruba using "Static Target" + CWA flow is going via Internet due to guest network is completly isolated enviroment. This cause that ISE sees WebAuth packets commming from some external IP address. Radius querries comming from NAD containing real internal IP of client. This way F5 is not able do session matching based on Radius Framed IP. I am interested in of matching Session ID in URL. However I dont see "Session ID" info in invoked URL on client side. I assume its not visible as this is "static URL" redirection on Aruba level. Am I wrong?

 

I followed this guide for Aruba configuration:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-20/211406-Configure-Guest-Flow-with-ISE-2-0-and-Ar.html