10-03-2018 10:09 AM
Hello,
Have anyone tried setting up a guest portal FQDN mapped into two different IP address in which these two IP address corresponds to the IP address of PSN nodes?
Let's say for example
PSN1: 1.1.1.1
HOSTNAME: psn1ise.company.com
PSN2: 1.1.1.2
HOSTNAME: psn2ise.company.com
Guest portal uses fqdn:port policy
ex. FQDN: guest.company.com
nslookup guest.company.com shows both the IP address of PSN 1 and PSN 2.
same guest cert installed on both psn1 and psn2.
I have found this guide https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html but it will need new cert, new fqdn and additional alias.
Hoping to hear from you ISE masters. Thank you.
JAN
Solved! Go to Solution.
10-03-2018 10:15 AM
10-03-2018 10:15 AM
05-08-2019 06:35 AM
How would this work if the client is redirected to the guest portal.cwa, As the client https request needs to land on the same psn the radius request landed on.? How would you hide the psn fqdn in the redirect url?
05-10-2019 04:47 AM
10-03-2018 09:31 PM
If you do not want to re issue certificates and you have spare public ip addresses you can also nat 1:1 the ise guest ip addresses and let dns doctoring do the trick.
You need however to register an A record for each ise on your public dns server.
It also works registering A records on your public dns server pointing to the real (internal) ip addresses of ise guest interfaces, this permits you to save public addresses.
This way, however, securitywise guys could argue that you are disclosing internal resources.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: