cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3036
Views
4
Helpful
4
Replies
Highlighted

ISE CWA Using Non-Management Interface

I have a dilemma I've run into that I am hoping the community can help with...

I have a customer design I'm working on that requires some ISE PSNs in the public-facing DMZ. Specifically to serve up the CWA page to wireless guest users that are coming from another site. The ISE servers reside virtually in the customer's datacenter. The guest users will be accessing the network from a WLC local to the site. The WLC will send it's RADIUS traffic back to PSN interfaces (let's say G0) via a L2L VPN tunnel to the datacenter server network.

For obvious reasons, we don't want the guest user traffic to traverse the L2L tunnel. The goal is to place some of the guest-serving ISE PSNs in a datacenter DMZ. They will have G0 in a DMZ VLAN that is accessible to the other ISE nodes for inter-ISE communication, while G1 interface will be placed in a DMZ VLAN accessible to the wifi guest users. The Wifi guest users will be coming over the internet and are source NATd.

Thus far everything seems to work except when I assign the CWA portal to G1 it sends the G1 private IP in the redirect URL. My question is this: Can the ISE PSNs/web portal be configured so it sends a custom FQDN for the guest portal? I would like to leverage public DNS and point the guests to the public IP of the ISE guest PSNs (which is then destination NATd for tcp/8443 to the guest G1 interface).

Or is there a way I can use a public IP on the G1 interface but still reside behind a F5 load balancer?

Or am I going about this all wrong and is this unsupported?

Huge TIA for any input/help!

guest diagram.png

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

Re: ISE CWA Using Non-Management Interface

If I understand your problem correctly this should resolve your issue: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/cli_ref_guide/b_ise_CLIReferenceGuide_20/Cisco_ISE_CLI_Commands_in_Configuration_Mode.html#wp5773065010

ip host

To associate a host alias and fully qualified domain name (FQDN) string to an ethernet interface such as eth1, eth2, and eth3 other than eth0, use the ip hostcommand in global configuration mode.

When Cisco ISE processes an authorization profile redirect URL, it replaces the IP address with the FQDN of the Cisco ISE node.

ip host ipv4-address host-alias

To remove the association of host alias and FQDN, use the no form of this command.

no ip host ipv4-address host-alias

You should be able to configure the hostname via the CLI for G1 and then CWA should redirect by providing the correct fqdn.

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

4 REPLIES 4
Contributor

Re: ISE CWA Using Non-Management Interface

If I understand your problem correctly this should resolve your issue: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/cli_ref_guide/b_ise_CLIReferenceGuide_20/Cisco_ISE_CLI_Commands_in_Configuration_Mode.html#wp5773065010

ip host

To associate a host alias and fully qualified domain name (FQDN) string to an ethernet interface such as eth1, eth2, and eth3 other than eth0, use the ip hostcommand in global configuration mode.

When Cisco ISE processes an authorization profile redirect URL, it replaces the IP address with the FQDN of the Cisco ISE node.

ip host ipv4-address host-alias

To remove the association of host alias and FQDN, use the no form of this command.

no ip host ipv4-address host-alias

You should be able to configure the hostname via the CLI for G1 and then CWA should redirect by providing the correct fqdn.

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Re: ISE CWA Using Non-Management Interface

Yes that was exactly command/capability I was looking for.

Thank you very much George!

Cisco Employee

Re: ISE CWA Using Non-Management Interface

Re: ISE CWA Using Non-Management Interface

It does Jason, thank you.

Ultimately I was looking for host-alias command as it maintains a scalable/flexible architecture. But my fallback was/is to resort to the static settings you reference.