Solved: configuring CWA in distributed environment

mojuneja · ‎02-08-2013

Could you please elaborate the process how CWA works in distributed environment?

nspasov · ‎02-20-2013

Sorry for the delayed reply Mohit!

Yes, I am sure public CAs will be willing to sell you a SAN certificate, however, my guess is that it will be expensive. If you are only dealing with a couple of PDP nodes, then I would recommend that the you get two separate public certificates instead of the SAN type. The ony time I would bother with SAN certificates is if I am dealing with a lot of nodes and/or when I put the PDPs behind a load balancer.

Hope this helps!

Thank you for rating!

View solution in original post

Tarik Admani · ‎02-09-2013

Cwa is configured at the administration nodes. The policy nodes send the url string to their hostname and perform the authentication and provides services such as guest authentication and my device portal.

Thanks

Sent from Cisco Technical Support Android App

nspasov · ‎02-09-2013

Hello Mohit-

Can you please elaborate a little more on your question? What exactly are you trying to accomplish? The CWA process is handled by the Policy Services (PDP) node. If you have more than one (distributed) then you can place them behind a load balancer (if L2 adjacent). If the nodes are spread geographically then you specify which which PDP nodes would each NAD client use.

Thank you for rating!

mojuneja · ‎02-09-2013

Thanks Tarik and Neno for your response........

My question is if One PSN goes down and my NAD is configured with 2 PSN IPs, so in that situation client request will go to 2nd PSN, and 2nd PSN will provide url-redirect link. So in that condition on client browser which PSN host name would be shown?

In my scenario, consider PSN A is primar and PSN B is secondary.

And one more thing I want to ask, can we customize the Guest Portal URL, as we have the option for Sponsor and My Device Portal under Guest/Sponsor SSL settings?

nspasov · ‎02-10-2013

Yes, if one of the PSN goes down the NAD will flag as down. As a result, future AAA messages/functions will be forwarded to the secondary PSN node.

I don't think you can customize the URL for the guest portal. I am not 100% sure though so perhaps Tarik can confirm this. I am not going to be back in my lab for a while now otherwise I was going to test it.

Thank you for rating!

mojuneja · ‎02-10-2013

Thanks Neno for your response....

To implement CWA in distributed environment, we need to add Subject Alternative Names in the Certificate.

I have already gone through the steps given in BYOD design guide, but my concern is if I would by Third party CA certificate for ISE, in that case how would I able to achieve the same.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

Would I need to ask Certificate vendor to add Subject Alternative Names? Will they do that?

nspasov · ‎02-20-2013

Sorry for the delayed reply Mohit!

Yes, I am sure public CAs will be willing to sell you a SAN certificate, however, my guess is that it will be expensive. If you are only dealing with a couple of PDP nodes, then I would recommend that the you get two separate public certificates instead of the SAN type. The ony time I would bother with SAN certificates is if I am dealing with a lot of nodes and/or when I put the PDPs behind a load balancer.

Hope this helps!

Thank you for rating!

mojuneja · ‎02-20-2013

Thank you so much Nano for your answer..

JHILL2 · ‎03-01-2013

Is there a way to get the Authorization profile to send one of the different SAN names within the certificate instead of the actual hostname? Maybe with Cisco AV Pair?