cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

759
Views
5
Helpful
4
Replies
Beginner

ISE Guest portal FQDN pointing to 2 IP Address

Hello,

 

Have anyone tried setting up a guest portal FQDN mapped into two different IP address in which these two IP address corresponds to the IP address of PSN nodes?

 

Let's say for example

PSN1: 1.1.1.1

HOSTNAME: psn1ise.company.com

 

PSN2: 1.1.1.2

HOSTNAME: psn2ise.company.com

 

Guest portal uses fqdn:port policy

ex. FQDN: guest.company.com

 

nslookup guest.company.com shows both the IP address of PSN 1 and PSN 2.

 

same guest cert installed on both psn1 and psn2. 

 

I have found this guide https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html but it will need new cert, new fqdn and additional alias.

 

Hoping to hear from you ISE masters. Thank you. 

 

JAN

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Guest portal FQDN pointing to 2 IP Address

Correct that’s the way you do it. Yes you will need to change cert so the client trusts it.
4 REPLIES 4
Cisco Employee

Re: ISE Guest portal FQDN pointing to 2 IP Address

Correct that’s the way you do it. Yes you will need to change cert so the client trusts it.
Beginner

Re: ISE Guest portal FQDN pointing to 2 IP Address

How would this work if the client is redirected to the guest portal.cwa, As the client https request needs to land on the same psn the radius request landed on.? How would you hide the psn fqdn in the redirect url?

Cisco Employee

Re: ISE Guest portal FQDN pointing to 2 IP Address

You can’t hide the host it’s communicating to. Would recommend a certificate with a wildcard in the San

More information available under admin guide for certificates
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html#concept_8B6D9760C14344EC972B2DD81876328B

Re: ISE Guest portal FQDN pointing to 2 IP Address

If you do not want to re issue certificates and you have spare public ip addresses you can also nat 1:1 the ise guest ip addresses and let dns doctoring do the trick.

You need however to register an A record for each ise on your public dns server.

It also works registering A records on your public dns server pointing to the real (internal) ip addresses of ise guest interfaces, this permits you to save public addresses.

This way, however, securitywise guys could argue that you are disclosing internal resources.