Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
11
Helpful
8
Replies

CWA design with 2 ISE deployments (Certificates, dns )

Go to solution
REJR77
Level 1
Level 1

‎05-11-2020 08:08 AM - edited ‎05-11-2020 09:15 AM

Hello,

I have a question with a 2 ISE nodes setup and Guest portal.

We will use eth1 for guest portal (with private IP).

PSN1: eth1: 192.168.1.10 <=> guestportal1.company.com

PSN2: eth1: 192.168.1.11 <=> guestportal2.company.com

And we will use another fqdn for the guestportal (let's say guestportal.company.com)

Certificate can be: CN=guestportal.company.com with SAN1: guestportal1.company.com and SAN2: guestportal2.company.com

 

I see in the Authorization Profile that the user will be redirected to

cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=265dc4f0-2e58-11e9-98fb-0050568775a3&action=cwa&type=drw

 

I understand the "ip" will be replaced by the PSN IP address in charge of the session.

But the user will be redirected to https://192.168.1.10:8443/portal..... and will get a certificate warning (official CA don't allow to sign cert with private IP as far as I know).

 

As guest won't trust a certificate signed for a private IP address, how can we use fqdn for the guest portal?

 

I see an option "StaticIP/Hostname/FQDN" in the AuthZ profile, but again if I type : guestportal.company.com I need to resolve to 192.168.1.10 AND 192.168.1.11 and potentially it won't be the ISE that handle the session...

 

I am a bit lost with this CWA config....

What is the recommanded way to do with the objective that each PSN can potentially handle requests? (without any loadbalancer)

 

 

Image 5.png

 

 

Thank you for clarification :)

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-12-2020 01:16 AM

Nice question.

You will need two Authorization Result Profiles - one per PSN

And in each one you specify the FQDN of the PSN that will host the portal page.

 

In your MAB policy set you will have an Authorization Rule that checks which PSN is currently processing this RADIUS request (ISE Hostname = blah) - and then return the respective Authorization Result for that specific PSN.

 

Hope that clarifies.

View solution in original post

8 Replies 8

Go to solution
Arne Bier
VIP
VIP

‎05-12-2020 01:16 AM

Nice question.

You will need two Authorization Result Profiles - one per PSN

And in each one you specify the FQDN of the PSN that will host the portal page.

 

In your MAB policy set you will have an Authorization Rule that checks which PSN is currently processing this RADIUS request (ISE Hostname = blah) - and then return the respective Authorization Result for that specific PSN.

 

Hope that clarifies.

Go to solution
REJR77
Level 1
Level 1
In response to Arne Bier

‎05-12-2020 05:20 AM

Hello,

Thank you for the answer.
Nice trick... Use 2 AuthZ Rules. The first one will be used when Session is handled by PSN1 and the second one when PSN2...
So no need to play with "ip alias hostname" in the ISE CLI config?
Regards

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to REJR77

‎05-12-2020 05:43 AM

It’s the standard practice with two PSN Setup. If you have more PSNs then you need to front them with a load balancer and some clever persistence logic

 

the alias command is only needed if you have more than one interface on the PSN and you’re not using the host name which is by default associated with gig0 

Go to solution
Darkmatter
Level 1
Level 1
In response to Arne Bier

‎06-05-2023 06:23 AM

Apologies to revive this thread, but i've kinda want to accomplish the same.
Is there any documentation available where this been explained clearly, together with all the steps you need to take.

I'm a bit stuck at the creation of the 2 authorization rules. Where or how can i specify in the rule to make the distinction between the 2 different PSN?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Darkmatter

‎06-05-2023 06:32 AM

@Darkmatter create one authorisation rule using the condition "Network Access ISE Host Name CONTAINS <PSN 1>" and return the PSN 1 Portal in an authorisation profile.

Create a second authorisation rule using the condition "Network Access ISE Host Name CONTAINS <PSN 2>" and return the PSN 2 Portal in an authorisation profile.

There is an example here, modify to fit your requirements.

Go to solution
Darkmatter
Level 1
Level 1
In response to Rob Ingram

‎06-05-2023 09:42 AM

Thanks a lot, Rob! This was of great help to get a good overview.

Last question, though: what if you can't use a wildcard certificate? Request a normal cert with both PSN as SAN? How to go about with DNS?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Darkmatter

‎06-05-2023 10:11 AM - edited ‎06-05-2023 10:20 AM

@Darkmatter as you create two authorisation profiles, define a static FQDN which resolves to the PSN1 FQDN and another authorisation profile for PSN2 FQDN, then use those different authorisation profiles in the authorisation rules. There both PSN's can have a different certificate or the same with multiple SAN entries.

Example:

1111.png

0 Helpful

Go to solution
Darkmatter
Level 1
Level 1

‎06-06-2023 06:58 AM - edited ‎06-07-2023 12:10 AM

Last piece of the puzzle is DNS and NAT, how to go about that?

As we want to use a public certificate, the traffic should be NAT'ed to the actual guest portal FQDN's, but it don't directly see how to accomplish this best practice on a 2 node deployment without some kind of load balancer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents