cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

174
Views
0
Helpful
8
Replies
Cisco Employee

Radius proxy for guest

Hi,

 

My customer has two ISE clusters. The first one is dedicated to wifi guest access while the second one is handling wired 802.1x for corporate users.

 

They would like to provide guest access to their wired users. They are thinking of using RADIUS proxy for that. The web portal would still be hosted on their "guest cluster" and "corporate wired users" would simply be redirected to that cluster.

 

I've done some research but I haven't seen any clear statement if that was supported or even supposed to work. Could someone confirm if this is supposed to work and provide some pointers?

 

An alternative would be to host the guest portal on the corporate cluster and use the "guest cluster" as an external database. This would avoid managing guest account at two different location but would require to duplicate the web portal, not ideal...

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Radius proxy for guest

Ok right. You can’t have one radius server hosting wired dot1x and another handling MAB for guest CWA. The ISE server servicing the wired side would also need to host the portal since we rely on radius session for the control plane.

So the solutions are
Option 1 you are going with:
wired deployment CWA would have to call the guest database in other deployment via RADIUS token
1 database of guest
Portal for wired
Portal for wireless
Enhancement request (reach out to the ISE product managers) requirement to export guest portal settings and customization from one deployment to import on another

Option 2:
Or have 1 deployment servicing it all
8 REPLIES 8
Cisco Employee

Re: Radius proxy for guest

You can point the guest portal on one system to the other using RADIUS token server as an external identity source
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_D0680D3739BF4663858342896759A10A
Cisco Employee

Re: Radius proxy for guest

Yes, this was the alternative I was mentioning. Should I deduce we wouldn't support RADIUS proxy in this case?
Cisco Employee

Re: Radius proxy for guest

Why wouldn't you just setup the wired deployment to use its on portal and database? It sounds like wired users would be logging into the CWA portal with their internal credentials?
Cisco Employee

Re: Radius proxy for guest

They are planning on heavily customising the portal. What you propose means duplicated work (and duplicated guest database).
In this case, they also want to provide wired access to genuine guest (contractors).
A contractor should be able to use both the wifi and wired infra with the same credential...
Cisco Employee

Re: Radius proxy for guest

Seems like complicating things having 2 separate deployments then? Or maybe its for security?

The proper way to point is using RADIUS token. What does RADIUS proxy give you, not sure why i understand the difference as a problem?
Highlighted
Cisco Employee

Re: Radius proxy for guest

The two different deployments is simply due to administrative reason. They have one team managing wifi and another one for wired... There is no way we will manage to push a single deployment in their case!

 

What I was hoping to achieve with RADIUS proxy is to redirect wired guest users to the web portal hosted on the wifi cluster. That way, they would only have to maintain the portal in a single cluster. Since that doesn't seem to be possible, I'll propose the alternative.

 

Thx

 

Cisco Employee

Re: Radius proxy for guest

Ok right. You can’t have one radius server hosting wired dot1x and another handling MAB for guest CWA. The ISE server servicing the wired side would also need to host the portal since we rely on radius session for the control plane.

So the solutions are
Option 1 you are going with:
wired deployment CWA would have to call the guest database in other deployment via RADIUS token
1 database of guest
Portal for wired
Portal for wireless
Enhancement request (reach out to the ISE product managers) requirement to export guest portal settings and customization from one deployment to import on another

Option 2:
Or have 1 deployment servicing it all
Cisco Employee

Re: Radius proxy for guest

Thanks for confirming, that's what I've already communicated to the customer.

 

I knew the sessionId could be the issue but I was not sure where it would be generated. I thought we could simply proxy the MAB request from the wired cluster to the guest cluster that would then generate a sessionId as well and return the corresponding redirect URL.