05-19-2019 07:37 AM - edited 05-19-2019 07:38 AM
ISE 2.3 patch 5
I have a question on the client provisioning portal FQDN setting. I have three PSN nodes (2 in one data center and 1 in another data center). Now if I create DNS A records for the CPP portal to point to the 3 psn nodes like this:
posture.ise.com psn1-ip-address
posture.ise.com psn2-ip-address
posture.ise.com psn3-ip-address
And then let my DNS server take care of the load-balancing, will it cause a problem where a user is initially authenticated to say psn1, but when wanting to do posture, dns resolves to psn2 and send user to psn2 to do posture piece?
Specifically I am referring to scenario in dual ssid byod with temporal agent, where user authenticates to the secure ssid and goes to psn1, but when they need to do posture check and enter posture.ise.com in browser dns resolves it to psn2 - would this cause a problem?
05-19-2019 04:55 PM
Hi
With portals in ISE, you must ensure that the server that is responding to the user is always the same as the first one due to session id.
You have 2 designs to accomplish that:
- use a load balancer with a unique fqdn and it will ensure to maintain the session straight to the same psn.
- use anycast design. attach the portal to a dedicated interface and setup the same ip on all your PSNs, afterwards it's just routing play. In terms of DNS, you will only 1 fqdn matching 1 IP and ensure that users are getting redirected always to the same server where session id belongs to.
05-20-2019 03:31 PM
I won't be able to use either of these options in the current network. I am just having a lot of difficulty in terms of user experience to get redirected for posturing for temporal agent. The issue is when a user enters a url, the browser doesn't seem to honour the redirect and instead shows "This site can't be reached". They need to try multiple sites and/or open new browser tabs/windows and hit a few urls until the browser decided to honour the redirect and load the posturing portal.
05-20-2019 05:39 PM
05-20-2019 10:03 PM
05-21-2019 06:46 AM
05-19-2019 05:08 PM
If you have a read over BRKSEC-3699, it says you don't need a load balancer for redirect URL web services like posturing.
"PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL. "
So my understanding is if you're already load balancing RADIUS, the redirect-URL will automatically point it back to the same PSN RADIUS was received on.
But if you're doing Sponsored portal or MyDevices portal the Sponsored Admins won't be redirected by RADIUS so that will require a load balancer VIP or AnyCast.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide