Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
1
Replies

Cisco ISE - Sponsor portal

iran
Level 1
Level 1

‎11-14-2023 02:24 AM

I have a distributed setup with 6 PSN.

I have configured the Gi0 for MGMT and Gi1 for guest portal.

For Guest portal I have selected Gi1, and I am able to access the portal using https://PSN_Gi1_address:8443.

I am able to access using the IP address of all PSN Gi1 interfaces.

iran_0-1699956504116.png

For Sposnor portal, I have configured the Gi1, however, I am only able to access the sponsor portal using one PSN IP address, when I try with the remaining PSN nodes Gi1 interface IP does not work. https://PSN_Gi1_address:84435.

iran_1-1699956614144.png

I would like to clarify the following?

1- How can we define where the sponsor portal will be hosted?

2- How do we know which  node is being used as primary Sponsor?

3- When we select Gi1, it means that the sponsor is hosted in all PSN nodes? If yes, how can we define the FQDN in case that we have 6 PSN nodes? In this case it seems that I will have to configure an FQDN to resolve the 6 IP addresses, and in terms of performance is not good.

Note: What I did to test it was using the Porta test URL from PAN node.

iran_2-1699957413418.png

 



 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎11-14-2023 03:08 PM - edited ‎11-14-2023 03:09 PM

Hello @iran  

In my deployment I am able to access the Sponsor Portal on more than one PSN, but only once I change the DNS to point to the other node. I only have a single DNS CNAME that points to the DNS A Record of my preferred PSN. I want the experience of accessing the Sponsor Portal to be easy for the employees, by typing a simple URL in their browser. As you said, putting more than one IP address into DNS is not the smartest way to do things, because the employee's end devices will make a random decision about which IP address they will use after DNS provides them with more than one option. I think I did this back in the day as a kind of cheap HA. But I don't anymore. And also, a user should not care which Sponsor Portal to type into the URL - because ISE will perform URL redirection and it performs TCP/443 to TCP/8445 - and it also inspects the URL and then matches the FQDN in the cert. It's not something that I haven't seen well explained.

 

Bottom line, I only have ONE Sponsor Portal, and it's a simple FQDN that I include in the same certificate as the PSN's Admin cert (as part of the SAN). The reason I did that is because of all this URL redirection - I found the code buggy and I was unable to use a separate Certificate Tag for Sponsor - it worked once, and then never again after I made some minor change. I gave up fighting this and now I have a great working solution.

Don't worry too much about having Sponsor Portals all over the place. Sponsor Portal doesn't work anyway if the Primary PAN is down. And if you have users over a WAN, then no big deal - Sponsor Portal is not heavy on traffic.

0 Helpful
Customers Also Viewed These Support Documents