07-14-2018 11:47 PM
Hi all,
I have an issue with BYOD dual SSID.
The user is connecting to the BYOD_REGISTER_SSID and he redirect to ISE BYOD PORTAL.
The ISE is behind F5 ( the F5 received the request from the user and send the request to the ISE, the portal certificate sitting on the F5 ).
I tried the run the "NetworkSetupAssistant" but he's failed after few seconds.
I checked with Wireshark, and I get error about port 8905.
* When I connecting to the BYOD_REGISTER_SSID I can telnet with port 8905 to the ISE server.
I think the issue is with the F5.
Thanks,
Amit
Solved! Go to Solution.
07-16-2018 09:25 AM
The F5 certificate should not come into play here unless you are attempting to have F5 terminate SSL. In that case, there is a level of additional complexity to F5 config. By default, PSN will redirect client to its own interface/IP, not F5 interface/IP. General recommendation is to allow this direct communication without F5 intervention. If feel F5 must terminate the HTTPS session, then to ensure HTTPS session hits same PSN that terminated RADIUS, you must have either 1) advanced iRule to stitch the HTTPS session to RADIUS session or 2) config a 1:1 mapping between VIP and PSN for redirected traffic.
07-15-2018 01:54 PM
I would suggest to test without F5 and see whether it still not working. There is not much benefit with the portal certificate sitting on the F5, as ISE portals are all in HTTPS such that Client browser <- (HTTPS) -> F5 <- (HTTPS) -> ISE web portals.
Since you got error on TCP port 8905 in WireShark, I would assume your ISE is ISE 2.1 or earlier. It's important to see what are the exact error in WireShark.
TCP port 8905 is using the ISE system certificate designated for "admin" so certain client OS, such as Windows, would not like it if the common name (CN) or the subject alternative name (SAN) do not match the portal hostname portion of the URLs. Thus, you would need to ensure the admin system server certificate would match the portal hostname. ISE 2.2 has enhanced to use the configured BYOD portal port instead of TCP 8905.
07-16-2018 09:25 AM
The F5 certificate should not come into play here unless you are attempting to have F5 terminate SSL. In that case, there is a level of additional complexity to F5 config. By default, PSN will redirect client to its own interface/IP, not F5 interface/IP. General recommendation is to allow this direct communication without F5 intervention. If feel F5 must terminate the HTTPS session, then to ensure HTTPS session hits same PSN that terminated RADIUS, you must have either 1) advanced iRule to stitch the HTTPS session to RADIUS session or 2) config a 1:1 mapping between VIP and PSN for redirected traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide