This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am setting up a Guest Sponsor Portal, with ISE 2.3 which is hosted on the Internal network.
I am dropping my guest wireless users in the DMZ and need to open the appropiate firewall ports on the firewall to make this work.
Can anyone point me to any good resources or advise what ports need to be opened each way?
I only have one ISE instance and that is running all personas and is hosted on the Internal network.
I have guest wireless users being dropped into the DMZ
So what ports need to be opened to allow this guest user to hit the web portal and get authenticated?
i assume they get dropped into DMZ and hit the WebAuth ACL and can only see ISE
Just a bit confused about that being internal and client in DMZ
I do not plan to put a PSN in the DMZ
Based on your WLC Preauth ACL, check if you are allowing traffic from Enduser/WLC to DHCP/DNS/ISE:8443 subnets on your FW.
On my case I am just allowing the following but under your scenario looks like you need to adjust accordingly the FW because you are using DMZ
Check first if your device on guest ssid is getting a VALID IP from the wlc interface. If that part is ok, then the only thing you need is allow traffic from Guest subnet/WLC to ISE on port 8443. IMPORTANT to mention that the WLC Guest SSID requires an URL Redirect to the ISE Login portal for Guest like this: (you have to copy this link from ISE directly and change the IP by the FQDN of ISE)
On the other hand, are you allowing traffic from the WLC subnet to the ISE server for Authentication on port 1812 and 1813?. If not, check this part as well.
I have currently got a 3504 with one interface dropping guest wireless users in a DMZ
They get their IP from the firewall interface and get access to the internet
SSID auth is via PSK
I now want to use an internal ISE server to implement Guest Portal
So need to work through the flow
So wireless client connects to open SSID and gets dropped into DMZ
Gets an IP but can only talk to ISE
That client will need
1812 and 1813 open to ISE for authentication.
What needs to be open from ISE to guest user?
This seems very logical but I can't find a simple step by step design of how this works.
Try CWA for your guest authentication.
Perfect, that is just what I was looking for but didn't know what it was called!
So in terms of firewall rules
Do I need to allow these both ways or just DMZ to ISE
As I don't think there is any traffic initiated from ISE in this process?
CoA is initiated by ISE so take a look on the following link for the required ports to be opened