Re: Cisco Guest Hotspot Portal in DMZ

nlmorgan@dcsdk12.org · ‎06-05-2024

Have ISE deployed internally and my WLCs are using its internal network configuration to access AAA for our "secure" wifi. I have cabled and configured two new ports on my two PSNs for our DMZ. Do I need to set up a new AAA instance profile in my WLC to see these new PSN IPs? If so is there something I need to do in ISE so that These PSNs can talk with AAA on the new interface?

ISE-ADM/MON-01: 1.1.1.1 (Internal network)
ISE-ADM/MON-02: 1.1.1.2 (Internal network)
ISE-PSN-01: 1.1.1.3 (Internal network - Presently configured in WLC for AAA)
ISE-PSN-01-DMZ: 2.2.2.2 Do I need to configure in ISE and WLC for AAA like I did for internal network?
ISE-PSN-02: 1.1.1.4 (Internal network - Presently configured in WLC for AAA)
ISE-PSN-02-DMZ: 2.2.2.3 Do I need to configure in ISE and WLC for AAA like I did for internal network?

Also how can I create a new URL redirect for the new interfaces/Hotspot portal? Right now I only get an IP.

I have not been able to find examples or configuration guide on this...

Arne Bier · ‎06-05-2024

If I understand correctly, you're using the same two PSNs, but instead, want to run a cable from another GigE interface (e.g. Gig1) to the DMZ network? That would work. However, all the networking configuration must be done on the ISE CLI (conf t). You cannot configure IPs in the ISE GUI.

Each time you add/change an IP in ISE, it will restart the services afterwards. But no reboot will be required.

Check your ISE routing table after doing this. You should see a single default gateway (using Gig0)

Question: For the DMZ networking, will ISE need a default GW to reach other subnets? You can either add a bunch of static routes if there are just a few networks ISE needs to reach, otherwise, you must add another default GW - this one will only be used for traffic that originates on Gig1. This is to prevent any asymmetric routing.

As for the NAS (WLC). It will need to know the IP Addresses of the two new interfaces. Configure those in the WLC.

Golden rule for any multi-interface ISE node

1) SSH/HTTP (Admin) only possible on Gig0

2) RADIUS/TACACS/Portals can run any interface

nlmorgan@dcsdk12.org · ‎06-05-2024

Thank you Arne Bier, that helps. I have already gone through adding the interfaces and restarting the ISE application services on the PSNs. I would imagine then that the routes will be updated on the individual PSNs respectively and not through the management node? Will adding static routes be cause for an application reboot as well?

And thinking about the whole process I have built out a new AAA profile on my WLC for the "DMZ" PSN nodes.

Arne Bier · ‎06-05-2024

You're right about the static routes and default GW config - it's done PER node on the node CLI. It's part of the ISE ADE-OS (the IOS-like CLI shell that runs on top of Linux)

However, your design is not 100% bulletproof - just because Gig1 interface is in another subnet (DMZ) doesn't mean that the ISE node itself is not vulnerable. If you're concerned about a guest hacking their way into your ISE (which also controls your Enterprise 802.1X etc) then some would argue strongly to have an independent ISE deployment just for guest. That is the best you can do. But for cost and other reasons, what you're doing is sensible, because it allows you to "pull the plug" on the Gig1 in an emergency on the guest network, and have the rest of your ISE working. Can an attacker do anything bad to your ISE via the guest network? I don't think so - you MUST put tight ACLs on the pre and post-auth ACLs to ensure the guest can only access TCP/8443 (or whatever your guest portal runs on). In the worst case, they can run a SYN Flood. But I think ISE tries to catch and counteract that. Crioss-site scripting vulnerabilities are probably the other issue. Just keep that ISE upgraded and patched as much as you can.

nlmorgan@dcsdk12.org · ‎06-07-2024

Arne, I really appreciate your insights here. I am researching how to add a separate gateway for the second interface I have configured for the DMZ. Yes my plan is to have tight ACLs around my ISE portal and run that traffic through my firewall. So my WLC will off load guest trafic into a VRF which then will then only have internet access by way of my firewall. At the firewall level I am also adding rules to allow portal traffic to my ISE Portal... So a bit redundant with ACL and Firewall rules but security is better when layered.

Arne Bier · ‎06-08-2024

For the second interface, you create a default gateway with the command (eg assume gig1 is 10.10.10.100/24 and the def gw is 10.10.10.1

ip route 0.0.0.0 0.0.0.0 gateway 10.10.10.1

nlmorgan@dcsdk12.org · ‎06-10-2024

Arne, I have a default gateway already defined. It would be the dmz interface that I need to add a route for. To keep going with your example 10.10.10.100 is set with the GW of 10.10.10.1 and my second interface for the DMZ is stet to 172.16.1.100. And I should be adding a route for all dmz traffic to go to 172.16.1.1.

MHM Cisco World · ‎06-09-2024

Sorry What is issue here, can you draw topology ?

MHM

nlmorgan@dcsdk12.org · ‎06-17-2024

Do I need to set up a new AAA instance profile in my WLC to see these new PSN IPs? Yes I need to set up a new AAA instance profile in my WLC.
If so is there something I need to do in ISE so that These PSNs can talk with AAA on the new interface? Yes, I need add a route for DMZ traffic on my PSNs to route traffic to the DMZ gateway...
Also how can I create a new URL redirect for the new interfaces/Hotspot portal? Right now ISE is only providing an IP for the portal. (Edited slightly from the top of the thread.)
Presently not working but I have had limited time for testing and adjusting configurations.