Solved: Guest access using a different domain

dgaikwad · ‎01-28-2021

Hi Experts,

Setup:
Two node setup Primary and Secondary
Two domains, abc.com (internal, where AD resides) and xyz.com (public domain, where websites are hosted)

Issue:
Setup a guest portal using public domain certificates
Is this possible, can I have all guest portal using xyz.com. when nodes are running on abc.com?

Any suggestions appreciated!

Karsten Iwen · ‎01-29-2021

That is not only possible, it is also the right way to do it. Your guests should never be presented an internal certificate.

View solution in original post

Karsten Iwen · ‎01-29-2021

That is not only possible, it is also the right way to do it. Your guests should never be presented an internal certificate.

Arne Bier · ‎02-02-2021

Hi @dgaikwad

As @Karsten Iwen rightly mentioned, separate DNS domains are the way to do it.

Back in the day we may have recommended .local or .net as domains with which to build your ISE nodes - but these TLDs are now sold and should be avoided.

The current best practice is to use your registered domain, and put your servers in a sub-domain. e.g. you might own acme.com and your guest portal might end up being guest.acme.com, whose IP address resolves to a load balancer perhaps. But the ISE PSN nodes on which the ISE Guest portals resides have DNS domains e.g. it.acme.com - and if you had say two PSN's doing guest, and if you didn't have a load balancer, then your ISE Policy results would have to return the FQDNs of the two PSNs - guest1.acme.com and guest2.acme.com - notice that I didn't use it.acme.com because that is the internal DNS domain of the ISE nodes (as seen on the CLI and on the https admin URL). The trick is to use DNS CNAMEs to link guest1.acme.com -> ise01.it.acme.com and guest2.acme.com -> ise02.it.acme.com - the Guest portal certificate only mentions either *.acme.com or the guest1.acme.com and guest2.acme.com