cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2241
Views
0
Helpful
3
Replies

Guest access with CWA on ISE

Hi support community

we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.

so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?

Many thanks in advance...

2 ACCEPTED SOLUTIONS

Accepted Solutions
Ravi Singh
Rising star

Hello Julio,

Till now there is no way to use name instead of IP. ISE always required IP address in URL redirection. For understanding how CWA work you can see the attached PDF.

View solution in original post

Your problem is that "URL that guest enter" (ex:cisco.com,etc) only resolve by public DNS, and "Redirect URL" (name of ISE policy server) only resolve by your company DNS Server...

but i've some suggestion, use both DNS Server of your company and public DNS on DHCP server, and use some DACL to restricted guest access to company's resources/private address

or you can create a new DNS Server on that company that only can resolve ISE hostname and other public hostname...

View solution in original post

3 REPLIES 3
Ravi Singh
Rising star

Hello Julio,

Till now there is no way to use name instead of IP. ISE always required IP address in URL redirection. For understanding how CWA work you can see the attached PDF.

View solution in original post

Your problem is that "URL that guest enter" (ex:cisco.com,etc) only resolve by public DNS, and "Redirect URL" (name of ISE policy server) only resolve by your company DNS Server...

but i've some suggestion, use both DNS Server of your company and public DNS on DHCP server, and use some DACL to restricted guest access to company's resources/private address

or you can create a new DNS Server on that company that only can resolve ISE hostname and other public hostname...

View solution in original post

Hi, thanks for answering...

Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).

however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...

thanks

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel