cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
311
Views
2
Helpful
1
Replies

Cisco ISE - Define primary Sponsor portal

iran
Level 1
Level 1

Hi,

I would like to clarify something regarding the Guest authentication with sponsor approval via email

I am using Self-Registered Guest Portal + Sponsor approval.
Basically, Guest users are redirected to the Guest portal and need to provide the email of the sponsor user.

Sponsor user receives an email that contains a link to approve/deny and when he clicks on the link is redirected to the sponsor portal.
My questions are :

1- How can we define a specific PSN to be the Primary Sponsor portal

2- How do we know which PSN node is being used as the primary Sponsor Portal?

3- When we select Gi0, it means that the sponsor is hosted in all PSN nodes? If yes, how can we define the FQDN in case that we have 6 PSN nodes? In this case, it seems that I will have to configure an FQDN to resolve the 6 IP addresses, and in terms of performance is not good.

4- Which approach should be used to configure the FQDN for sponsor portal?


I defined Gi 0 as the interface for Sponsor Portal.

iran_0-1708812881471.png


Thank you in advance

1 Reply 1

Arne Bier
VIP
VIP

Hello @iran  

The Sponsor Portal runs on all PSN nodes. I don't know of any way to steer the sponsor portal to specific PSNs, especially during the self-registration process.

I tend to define a static FQDN for the sponsor portal. And in DNS, I would assign the A record to one of the PSNs. You can create multiple A records (one for each PSN) for the same FQDN, and then the client devices get a list of IPs to choose from. However, that is not a load balancing technique - the operating system will select one of those, and that selection is not deterministic (to my knowledge) - but you have some HA at least.

Do you expect a lot of users to be on this sponsor portal?  I think one PSN can handle it - it's unlikely to be overloaded - just doing html stuff.

The biggest pain with Sponsor Portals is the certificate - I found the only way to get it working is to create a cert that contains the FQDN of the node and the sponsor FQDN in the SAN. And BTW, you should also assign that cert to the Admin role, since the URL redirection to TCP/8443 happens on TCP/443 - to avoid cert warnings, for Sponsor Certificate, it's best to use the same cert that's used for Admin role. The subject is not important - it's the SAN that must contain the FQDNs.  

ArneBier_0-1708893477984.png