cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

846
Views
10
Helpful
3
Replies
Highlighted
Beginner

CWA design with 2 ISE deployments (Certificates, dns )

Hello,

I have a question with a 2 ISE nodes setup and Guest portal.

We will use eth1 for guest portal (with private IP).

PSN1: eth1: 192.168.1.10 <=> guestportal1.company.com

PSN2: eth1: 192.168.1.11 <=> guestportal2.company.com

And we will use another fqdn for the guestportal (let's say guestportal.company.com)

Certificate can be: CN=guestportal.company.com with SAN1: guestportal1.company.com and SAN2: guestportal2.company.com

 

I see in the Authorization Profile that the user will be redirected to

cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=265dc4f0-2e58-11e9-98fb-0050568775a3&action=cwa&type=drw

 

I understand the "ip" will be replaced by the PSN IP address in charge of the session.

But the user will be redirected to https://192.168.1.10:8443/portal..... and will get a certificate warning (official CA don't allow to sign cert with private IP as far as I know).

 

As guest won't trust a certificate signed for a private IP address, how can we use fqdn for the guest portal?

 

I see an option "StaticIP/Hostname/FQDN" in the AuthZ profile, but again if I type : guestportal.company.com I need to resolve to 192.168.1.10 AND 192.168.1.11 and potentially it won't be the ISE that handle the session...

 

I am a bit lost with this CWA config....

What is the recommanded way to do with the objective that each PSN can potentially handle requests? (without any loadbalancer)

 

 

Image 5.png

 

 

Thank you for clarification :)

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Nice question.

You will need two Authorization Result Profiles - one per PSN

And in each one you specify the FQDN of the PSN that will host the portal page.

 

In your MAB policy set you will have an Authorization Rule that checks which PSN is currently processing this RADIUS request (ISE Hostname = blah) - and then return the respective Authorization Result for that specific PSN.

 

Hope that clarifies.

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Nice question.

You will need two Authorization Result Profiles - one per PSN

And in each one you specify the FQDN of the PSN that will host the portal page.

 

In your MAB policy set you will have an Authorization Rule that checks which PSN is currently processing this RADIUS request (ISE Hostname = blah) - and then return the respective Authorization Result for that specific PSN.

 

Hope that clarifies.

View solution in original post

Highlighted

Hello,

Thank you for the answer.
Nice trick... Use 2 AuthZ Rules. The first one will be used when Session is handled by PSN1 and the second one when PSN2...
So no need to play with "ip alias hostname" in the ISE CLI config?
Regards

Highlighted

It’s the standard practice with two PSN Setup. If you have more PSNs then you need to front them with a load balancer and some clever persistence logic

 

the alias command is only needed if you have more than one interface on the PSN and you’re not using the host name which is by default associated with gig0