cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1942
Views
20
Helpful
8
Replies
josimaru85
Beginner

Cisco ISE 2.4 -- Problem to segment G1 to PortalGuest only

Hi Everyone

I have a task to create a new interface (G1) under Ise to attempt just for PortalGuest, and I have some problem.

 

This is my Topology:

 

ISEBR
Gi0 192.168.123.25/24
Gi1 192.168.185.25/24 (PortalGuest)

ISEPSN
Gi0 192.168.123.26/24Gi1
192.168.185.26/24 (PortalGuest)

ISEJP
Gi0 172.28.123.25/24
Gi1 172.28.185.25/24 (PortalGuest)

 

HA

ISEBR (Primary) and ISEJP (Secondary)
Both (PAN+MGT+PSN)

image.png

 

 

 

image.png

When I click under portal test, the URL just try push me Ise primary or ISE secondary G0 Interface only

image.png

 

Someone already have this problem?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,
Greg gave you a sample how to apply the ip host command I was talking about.

Just to clarify. In my deployments, i use 3 interfaces all the time:
- gig0 as default management
- gig1 for radius/tacacs
- gig2 for portals.

On gig1 and 2, i use anycast to avoid multiple fqdns (1 per host). If you have any load balancer solution you can achieve the same thing.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

8 REPLIES 8
Francesco Molino
VIP Mentor

Hi

You mean when you click on portal test button, it opens a new page using your gig0 fqdn?
Have you configured the ip host command on cli to define a specific fqdn for the gig1 interface?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco, 

 

I wanted to also try using other interfaces for data traffic meanwhile letting gig0 for management only, but I am not able to find guides on the required configuration steps. 

 

Can u please help me find a guide on how to configure other interfaces other than gig0 to handle data traffic such as wired data traffic or wireless guest traffic, meanwhile leaving gig0 only for management traffic? 

I don't think the official guide explains it as a straight forward UseCase and all tutorials I have seen use Gig0 only.  

 

You advice would be highly appreciated. 

 

Best,

L

Hi

 

Other interfaces are configured on the CLI. Connect to ssh on your ISE, then go to conf t and under interface configuration using commands interface gig1 for example. You can assign an ip address. Then on conf t mode (not under interface config), you can add a default route pointing towards the gateway of this new interface.

 

In conf t mode, you'll need to configure a fqdn that ise will send out when users reaching this interface for services using the command ip host.

 

Be careful, you can have 1 fqdn per interface ip and by default it must be different on all your nodes as you'll have a different IP per node per interface.

 

To simplify this, you can have an anycast architecture, so same ip and same fqdn on all nodes. Users will access the closest ise node based on the routing. 

 

What do you mean but 1 interface for wired, 1 for wireless? Usually, you have 1 interface for radius/tacacs authentication and 1 for portals. At least, this is the way i deploy them.

 

Not found a clear documentation, showing all this in 1 global doc. However if you search piece by piece, you'll have multiple documentation explaining each part separately.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco, 

 

Thank you for the information provided. Much appreciated. 

 

Based on your information I am assuming the following:

Two ISE ports are connected to Switch that leads towards Internet. One of them, holding management traffic and Radius/TACACS+, meanwhile the other holding portals traffic. 

For the Management, Radius/TACACS+ traffic, its the default port of Gig0 that we configure during the base setup. 

Meanwhile for the Portals Interface, we check the port in the portals modification when we setup the portals, and that is when the portals traffic gets passed through that traffic. 

Now, I am not sure I have seen how to add an FQDN to an interface somewhere so far, but I will be after that today. If you have something, please share that with me.  

 

If you are a blogger and have something similar posted somewhere, I would be highly interested to read that. 

 

Thank you and best wishes, 

L

As @Francesco Molino mentioned, you need to create an FQDN alias using the 'ip host' command on the ISE node when using a separate interface for guest portal traffic. The FQDN configured is then the one that is presented to the client in the URL redirect sent by the PSN that handles the initial RADIUS session.

The syntax is as follows. A unique FQDN must be used on each PSN and restarting the app server service will be required.

(config)# ip host <gig1_ip_address> <portal hostname|FQDN>

 

For more information on traffic flows and best practices, see the following Cisco Live presentation.

Advanced ISE Architect, Design and Scale ISE for your production networks - BRKSEC-3432 

 

Hi Greg, 

 

Thank you. Information provided is much appreciated. 

 

Best,

Hi,
Greg gave you a sample how to apply the ip host command I was talking about.

Just to clarify. In my deployments, i use 3 interfaces all the time:
- gig0 as default management
- gig1 for radius/tacacs
- gig2 for portals.

On gig1 and 2, i use anycast to avoid multiple fqdns (1 per host). If you have any load balancer solution you can achieve the same thing.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Hi Francesco

 

Thank you. Information provided is much appreciated. 

 

Best,

Content for Community-Ad