Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2003
Views
8
Helpful
5
Replies

Guest CWA with distributed environment

Go to solution
nikhilcherian
Level 5
Level 5

‎04-24-2017 09:30 PM

Hi All,

I have a customer with 2 ISE boxes in a distributed environment. I have created a node group & added both ISE in the group. I have a guest portal configured with a full FQDN for the hostname & would like to do CWA for my guests.My DNS server will resolve the both ISE IP in the nslookup & the client will pickup the IP & search for the url.

If the wireless controller starts the RADIUS session with  ISE-1 & if the client tries for the url in ISE-2, will there be issue with RADIUS communication.

Does the wireless controller & wireless client always communicate with the same ISE server to make the Guest working or does the client session gets replicated among the ISE boxes in the same node group

Regards

Nikhil

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎04-25-2017 08:09 AM

By "setting portal FQDN", I am making the assumption that you are referring to the static IP/hostname option under the URL Redirection setting in the Authorization Profile.    If that is the case, then you are forcing the clients to go to a specific target and it is up to DNS, routing, and optionally an LB to get it to the appropriate target.  However, ISE requires that the redirected webauth request be received by same PSN handling the RADIUS session.  If go to PSN1 and user is redirected to PSN2, then webauth will fail as Jason calls out.  There is no session state sharing between ISE PSNs, even if in the same node group.  The node group does however help deal with session recovery when one PSN redirects client and then fails prior to completing web auth session.

Options:

  1. Remove static setting so that clients always get redirected to correct PSN handling RADIUS.  The PSN auto-substitutes its own FQDN in the redirect.
  2. Add logic to the authZ policy such that you match the ISE Server in RADIUS request to a specific AuthZ Profile which has static setting pointing to itself.  This would entail one additional AuthZ Rule and Profile per PSN in this group.
  3. Use a Load Balancer that can intelligently track RADIUS sessions and persist successive web transactions.  This can be done by adding RADIUS Framed IP to the persistence table along with MAC address persistence.  When web request is made, the source IP will match the original Framed IP.  Another option is matching on Session ID in URL.

Craig

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-25-2017 06:45 AM

The RADIUS server and guest redirect need to be from the same box.

You can’t setup a FQDN for a guest service in a round robin type fashion like that. You would need a load balancer to front multiple nodes

Also don’t think node groups do anything for guest services.

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎04-25-2017 08:09 AM

By "setting portal FQDN", I am making the assumption that you are referring to the static IP/hostname option under the URL Redirection setting in the Authorization Profile.    If that is the case, then you are forcing the clients to go to a specific target and it is up to DNS, routing, and optionally an LB to get it to the appropriate target.  However, ISE requires that the redirected webauth request be received by same PSN handling the RADIUS session.  If go to PSN1 and user is redirected to PSN2, then webauth will fail as Jason calls out.  There is no session state sharing between ISE PSNs, even if in the same node group.  The node group does however help deal with session recovery when one PSN redirects client and then fails prior to completing web auth session.

Options:

  1. Remove static setting so that clients always get redirected to correct PSN handling RADIUS.  The PSN auto-substitutes its own FQDN in the redirect.
  2. Add logic to the authZ policy such that you match the ISE Server in RADIUS request to a specific AuthZ Profile which has static setting pointing to itself.  This would entail one additional AuthZ Rule and Profile per PSN in this group.
  3. Use a Load Balancer that can intelligently track RADIUS sessions and persist successive web transactions.  This can be done by adding RADIUS Framed IP to the persistence table along with MAC address persistence.  When web request is made, the source IP will match the original Framed IP.  Another option is matching on Session ID in URL.

Craig

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎04-25-2017 08:27 AM

thanks chyps

Option 1 this is normal supported option

Option 2 ISE with Static Redirect for Isolated Guest Networks Configuration Example - Cisco

Option 3 ISE Load Balancing

0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to Jason Kunst

‎04-25-2017 08:39 AM

Thanks Jason & Craig for the help

Cheers

Nikhil

0 Helpful

Go to solution
piotr.witkowski
Level 1
Level 1
In response to Craig Hyps

‎12-03-2018 07:02 AM

Hey Craig,

 

Could you elaborate more Load Balancer matching based on Session ID in URL?

We do have setup for Aruba using "Static Target" + CWA flow is going via Internet due to guest network is completly isolated enviroment. This cause that ISE sees WebAuth packets commming from some external IP address. Radius querries comming from NAD containing real internal IP of client. This way F5 is not able do session matching based on Radius Framed IP. I am interested in of matching Session ID in URL. However I dont see "Session ID" info in invoked URL on client side. I assume its not visible as this is "static URL" redirection on Aruba level. Am I wrong?

 

I followed this guide for Aruba configuration:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-20/211406-Configure-Guest-Flow-with-ISE-2-0-and-Ar.html

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents